WO2023125147A1 - Internet of things directional access management and control method and system - Google Patents

Internet of things directional access management and control method and system Download PDF

Info

Publication number
WO2023125147A1
WO2023125147A1 PCT/CN2022/140374 CN2022140374W WO2023125147A1 WO 2023125147 A1 WO2023125147 A1 WO 2023125147A1 CN 2022140374 W CN2022140374 W CN 2022140374W WO 2023125147 A1 WO2023125147 A1 WO 2023125147A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
access
authentication
internet
things
Prior art date
Application number
PCT/CN2022/140374
Other languages
French (fr)
Chinese (zh)
Inventor
陈洲
陈冯
沈江兵
赵翔
兰卓睿
Original Assignee
天翼物联科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼物联科技有限公司 filed Critical 天翼物联科技有限公司
Publication of WO2023125147A1 publication Critical patent/WO2023125147A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Definitions

  • the present invention relates to the technical field of the Internet of Things, in particular to a method and system for directional access control of the Internet of Things.
  • the access control of the directional Internet of Things is generally through the directional access configuration on the gateway to realize the release of the directional access of the client equipment to the Internet service.
  • customers In order to order targeted access services, customers must provide various application services based on customer equipment and configure a series of targeted access targets. However, it is cumbersome to configure and manage these targeted access targets, and the control and matching of network elements is also troublesome. The acquisition of the target is also more troublesome.
  • most IoT devices install and use a variety of the same applications, and there are also different applications accessing the same Internet services.
  • the audio-visual services of Internet of Vehicles companies may often access Baidu Navigation, AutoNavi, Tencent Video, QQ Music, etc. Third-party apps.
  • the directional access configuration on the network is a customer-level configuration
  • many of the same directional configurations need to be set repeatedly and the number of directional addresses is limited in order to allow these applications of different customers and different devices; this results in operators needing to spend on network elements It takes time to do repeated configuration of customer-level orientation, which consumes the matching time of network elements, resulting in low efficiency of application data transmission and access.
  • Embodiments of the present invention provide a method and system for directional access control of the Internet of Things, aiming at solving the problem of inefficiency in data transmission and access of applications caused by existing directional access control methods of the Internet of Things.
  • the embodiment of the present invention provides a method for directional access management and control of the Internet of Things, which is applied to a directional access management and control system of the Internet of Things.
  • the directional access management and control system of the Internet of Things includes an Internet of Things terminal, an Internet of Things platform, and a network resource module.
  • the IoT terminal includes an authentication SDK, and the authentication SDK has cached application information and application identifiers that have been accessed; the method includes: if the IoT terminal receives an application access request, intercepting the An application access request and extracting the application information, wherein the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if In the local cache of the authentication SDK, the application uses the application identifier corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, the application The information is sent to the Internet of Things platform to enable the Internet of Things platform to perform double authentication, and the application access request corresponding to the application information that has passed the double authentication is marked with the corresponding application identification; all the application access requests Send to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is an application configured for pre-directed access.
  • the embodiment of the present invention also provides a directional access management and control system for the Internet of Things, the system includes: an Internet of Things terminal, an Internet of Things platform, and network resources, the Internet of Things terminal includes an authentication SDK, and the Internet of Things terminal, The Internet of Things platform and network resources communicate with each other to realize the above method together.
  • An embodiment of the present invention provides a method and system for directional access management and control of the Internet of Things, wherein the method includes: if the Internet of Things terminal receives an application access request, intercepting the application access request through the authentication SDK and extracting the Application information, wherein the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if the application is in the authentication SDK's In the local cache, use the application identifier corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, send the application information to the IoT
  • the platform enables the Internet of Things platform to perform double authentication, and marks the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification; sends all the application access requests to the network resource module , so that the network resource module judges whether to allow access according to whether the application access request is marked and whether the application is configured for pre-directed access.
  • FIG. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for directional access control of the Internet of Things provided by an embodiment of the present invention
  • FIG. 3 is a schematic subflow diagram of a method for directional access control of the Internet of Things provided by an embodiment of the present invention
  • FIG. 4 is a schematic subflow diagram of a method for directional access control of the Internet of Things provided by an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an interaction process of an application accessing a network in a method for directional access control of the Internet of Things provided by an embodiment of the present invention.
  • the term “if” may be construed as “when” or “once” or “in response to determining” or “in response to detecting” depending on the context .
  • the phrase “if determined” or “if [the described condition or event] is detected” may be construed, depending on the context, to mean “once determined” or “in response to the determination” or “once detected [the described condition or event] ]” or “in response to detection of [described condition or event]”.
  • FIG. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention.
  • the Internet of Things directional access control system includes an Internet of Things terminal, an Internet of Things platform, and a network resource module, the Internet of Things terminal includes an application and an authentication SDK, and the Internet of Things platform includes an application management module, an application authentication module, and a behavior library module,
  • the network resource module includes network elements and Internet services.
  • the authentication SDK is used to intercept application access requests and extract application information, mark application requests that have passed the double verification, and cache the application information and application identification that have been accessed.
  • the application identification refers to the application used to uniquely identify the application ID
  • application information refers to the characteristics of the application and the access behavior of the application, such as application name, application version, application size, directory structure, target address, service link, etc.
  • the application management module in the IoT platform is used to manage registered applications, and store the registered application information in the application management module.
  • the application authentication module registers and authenticates the application information registered in the application management module.
  • the behavior library module is used to authenticate the access behavior of registered and authenticated application information and establish normal access behavior records.
  • the network element is used to judge whether to allow the packet corresponding to the application access request to access the Internet service according to the application access request.
  • FIG. 5 is a schematic diagram of an interaction process of an application accessing a network in a method for directional access control of the Internet of Things provided by an embodiment of the present invention, in which APPId is an application identifier.
  • the registration process may specifically include the following steps S1A-S1B:
  • the IoT platform if the IoT platform receives an application registration request sent by the client, extract the application information in the registration request and store it in the application management module.
  • the IoT platform receives an application registration request sent by the client, it extracts the application information in the registration request and stores it in the application management module.
  • the application that accesses network resources through authentication marking requires the user to register the application information with the Internet of Things platform in advance, so as to pass the registration authentication of the application authentication module subsequently.
  • the IoT platform if the IoT platform receives an application-oriented access configuration request sent by the client, extract the application-oriented access configuration information in the application-oriented access configuration request and store it in the network element.
  • the IoT platform receives an application-oriented access configuration request sent by a client, it extracts the application-oriented access configuration information in the application-oriented access configuration request and stores it in the network element.
  • the IoT platform receives an application-oriented access configuration request sent by a client, it extracts the application-oriented access configuration information in the application-oriented access configuration request and stores it in the network element.
  • reserved applications access network resources through directional access configuration, so for applications with special needs for users, users can store the directional access configuration information of the applications in network elements in advance, so that subsequent network The element allows the application to access network resources according to the directional access configuration information.
  • the IoT terminal can process the received application access request.
  • the specific implementation process of the Internet of Things directional access management and control method according to the embodiment of the present invention will be described in detail below with reference to FIG. 5 .
  • the method of the present invention includes the following steps S1-S6.
  • the authentication SDK intercepts the application access request and extracts the application information, wherein the application access request includes at least one access request initiated by the application ask.
  • the authentication SDK intercepts the application access request and extracts the application information, wherein the application access request includes at least one access request initiated by the application ask.
  • four applications APP1, APP2, APP3, and APP4 are installed on the Internet of Things terminal, wherein APP1 and APP2 have been pre-registered on the Internet of Things platform, and APP1 has accessed network resources.
  • APP3 and APP4 are not pre-registered on the IoT platform, but APP3 has pre-configured directional access configuration information on the network element.
  • the four applications APP1, APP2, APP3, and APP4 all initiate application access requests to the IoT terminal .
  • the application access request is marked with the application identifier corresponding to the application.
  • APP1 has accessed network resources, so the application information and application ID of APP1 are cached in the local cache of the authentication SDK.
  • the application using the cached APP1 The identifier marks the access request of APP1. It avoids the authentication of the Internet of Things platform every time an application accesses network resources, thereby improving the speed and efficiency of application access to network resources.
  • the application information is sent to the IoT platform so that the IoT platform performs double authentication.
  • the application information corresponding to APP2, APP3 and APP4 is sent to the Internet of Things platform for double authentication.
  • the Internet of Things platform includes an application authentication module and a behavior library module, please refer to FIG. 3 , and the dual authentication includes: steps S41-S43.
  • the application authentication module performs registration authentication on the received application information.
  • the application authentication module performs registration authentication on the received application information.
  • the IoT platform further includes an application management module, which stores application information registered by the user, and the application authentication module combines the application information with the application information registered by the user in the application management module. The information is compared; if the comparison is successful, the registration authentication is passed, and if the comparison is unsuccessful, the registration authentication fails.
  • the Internet of Things platform registers and authenticates the application information corresponding to APP2, APP3, and APP4. Because APP2 has been pre-registered on the Internet of Things platform, there is application information registered by APP2 in the application management module. The application information comparison is successful, and the registration authentication is passed; because APP3 and APP4 are not pre-registered on the IoT platform, the registration authentication of APP3 and APP4 fails.
  • the application authentication module sends the application information to the behavior library module for access behavior authentication.
  • the application authentication module sends the application information to the behavior library module for access behavior authentication.
  • the behavior library module stores normal access behavior records, and the behavior library module searches whether the application information exists in the normal access behavior records; if the application information is in the If the application information does not exist in the normal access behavior record, then the access behavior authentication fails.
  • the behavior authentication if the behavior authentication is passed, it is determined that the application information has passed two-factor authentication. Specifically, after the application information registration authentication is passed, the access behavior authentication is performed through the behavior library module to strengthen the authentication, so as to prevent APPs that are not in the normal access behavior records from accessing network resources. In one embodiment, the application information of APP2 is in the normal access behavior record, so APP2 passes the two-factor authentication.
  • the behavior library module receives the application information and stores it for establishing a normal access behavior record.
  • Normal access behavior records are continuously updated historical data, which are established according to the target address or service link of application access in the application information, and users can set it according to the actual situation.
  • the application information corresponding to the target address is listed in the application abnormal access behavior record; in a large number of target addresses that are repeatedly accessed A target access address with a probability of occurrence of more than 50% is a normal target address; a target access address with a probability of occurrence of less than 20% is an abnormal access address, and its corresponding application information is included in the application abnormal access behavior record; the occurrence probability is 20% -50% of the target access addresses are suspicious target addresses, and the application information corresponding to the suspicious target addresses can pass the access behavior authentication within a certain period of time, and subsequent manual audits or regular system automatic audits can be performed.
  • the application access request corresponding to the application information that has passed the double authentication is marked with the corresponding application identification.
  • the application authentication module if the application information passes the double authentication, the application authentication module generates an application identifier corresponding to the application information that passes the double authentication, and returns the application identifier to the authentication SDK. Further, the authentication SDK caches the application information and the corresponding application identifier after passing the double authentication into a local cache of the authentication SDK.
  • the application authentication module after APP2 has passed two-factor authentication, the application authentication module generates the corresponding APPId and returns it to the authentication SDK.
  • the authentication SDK uses the APPId to mark the application access request corresponding to APP2 and caches the application information and application identifier of APP2 to the authentication SDK. SDK's local cache, so that when APP2 visits next time, it will query APP2's application information in the authentication SDK's local cache and use APP2's application ID to mark APP2's application access request.
  • all the application access requests are sent to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is a pre-directed access configuration application .
  • the application access requests of APP3 and APP4 that fail to be authenticated but not marked are directly sent to the network resource module, while the marked application access requests of APP1 and APP2 are sent to the network resource module.
  • the network resource module marks and the application Whether it is an application configured for pre-directed access to determine whether to allow it.
  • the network resource module includes network elements and Internet services, please refer to FIG. 4
  • the step S6 includes: steps S61-S65.
  • the network element detects whether all the application access requests are marked.
  • the network element detects whether all the application access requests are marked.
  • the marked application access request is an application access request of an application registered in advance on the IoT platform side.
  • the packet of the application access request is released to the Internet service.
  • the application access requests of APP1 and APP2 are sent to the network element after processing the above steps to mark the application access request, so the network element releases the application access request messages of APP1 and APP2 to said Internet service.
  • the application access request is not marked, it is judged whether the application is an application configured for pre-directed access. Specifically, in one embodiment, the registration and authentication of APP3 and APP4 failed, so the application access requests of APP3 and APP4 are processed by the above steps and then sent to the unmarked application access request of the network element, so it is necessary to further determine whether the application Apps configured for pre-directed access.
  • the packet of the application access request is released to the Internet service.
  • APP3 pre-configures directional access configuration information on the network element, so the network element releases the application access request message of APP3 to the Internet service.
  • the packet of the application access request is blocked from being sent to the Internet service.
  • APP4 does not pre-configure directional access configuration information on the network element and the application access request of APP4 is not marked, then the network element blocks the packet of the application access request to the Internet service.
  • An embodiment of the present invention provides a method for directional access control of the Internet of Things, the method includes: if the Internet of Things terminal receives an application access request, intercepting the application access request through the authentication SDK and extracting the application information, wherein , the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if the application is in the local cache of the authentication SDK, Use the application identification corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, send the application information to the Internet of Things platform to enable the The Internet of Things platform performs double authentication, and uses the corresponding application identifier to mark the application access request corresponding to the application information that has passed the double authentication; sends all the application access requests to the network resource module, so that all The network resource module judges whether to allow access according to whether the application access request is marked and whether the application is configured for pre-directed access.
  • Fig. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention.
  • the present invention also provides a system for controlling directional access to the Internet of Things.
  • the system includes: an Internet of Things terminal 10, an Internet of Things platform 20 and a network resource module 30, the Internet of Things terminal 10 includes an authentication SDK 12 and an application 11, and the Internet of Things platform 20 includes an application management module 21.
  • the network resource module 30 includes a network element 31 and an Internet service 32.
  • the Internet of Things terminal 10, the Internet of Things platform 20, and the network resource module 30 communicate with each other to jointly implement the above-mentioned Internet of Things directional access control method.
  • the IoT terminal 10 is configured to, if the IoT terminal 10 receives an application access request, intercept the application access request through the authentication SDK12 and extract the application information, wherein the application access request includes at least one of the The access request initiated by the application; judge whether the application exists in the local cache of the authentication SDK12 according to the application information; if the application is in the local cache of the authentication SDK12, use the application identification corresponding to the application to The application access request is marked; if the application does not exist in the local cache of the authentication SDK12, the application information is sent to the Internet of Things platform 20 so that the Internet of Things platform 20 performs double authentication, mark the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification; send all the application access requests to the network resource module 30 so that the network resource module 30 can use the corresponding Whether the application access request is marked and whether the application is a pre-directed access configuration application determines whether it is allowed.
  • the Internet of Things platform 20 includes an application authentication module 22 and a behavior library module 23; the Internet of Things platform 20 is also used for: the application authentication module 22 is used for the application information received Registration authentication; if the registration authentication is passed, the application authentication module 22 sends the application information to the behavior storehouse module 23 for access behavior authentication; if the behavior authentication is passed, then it is determined that the application information passes double authentication .
  • the IoT platform 20 also includes an application management module 21, and the application management module 21 stores the application information registered by the user; the IoT platform 20 is also used for: the application authentication module 22 It is used to compare the application information with the application information registered by the user in the application management module 21; if the comparison is successful, it is determined that the registration authentication is passed; if the comparison is unsuccessful, it is determined that the registration authentication fails.
  • normal access behavior records are stored in the behavior library module 23; the behavior library module 23 is used to find whether the application information exists in the normal access behavior records; if the application information exists In the normal access behavior record, it is determined that the access behavior authentication is passed, and if the application information does not exist in the normal access behavior record, it is determined that the access behavior authentication fails.
  • the application authentication module 22 is further configured to: if the application information passes the double authentication, the application authentication module 22 is configured to generate an application identifier corresponding to the application information that passes the double authentication, And return the application identification to the authentication SDK.
  • the authentication SDK 12 is configured to cache the application information and the corresponding application identifier after passing the double authentication into a local cache of the authentication SDK.
  • the network resource module 30 includes a network element 31 and an Internet service 32; wherein the network element 31 is used to detect whether all the application access requests are marked; if the application access request has been marked, then Release the message of the application access request to the Internet service 32; if the application access request is not marked, then judge whether the application is an application with pre-directed access configuration; if the application is an application with pre-directed access configuration, release Pass the packet of the application access request to the Internet service 32; if the application is not a pre-directed access configuration application, then block the packet of the application access request.
  • the behavior library module 23 is configured to receive the application information and store it for establishing a normal access behavior record. .
  • the IoT platform 20 is further configured to: if the IoT platform 20 receives an application registration request sent by the client, extract the application information in the registration request and store it in the application management module middle; if the IoT platform 20 receives the application-oriented access configuration request sent by the client, extract the application-oriented access configuration information in the application-oriented access configuration request and store it in the network element 31 .
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are illustrative only.
  • the division of each unit is only a logical function division, and there may be another division method in actual implementation.
  • several units or components may be combined or integrated into another system, or some features may be omitted, or not implemented.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a storage medium.
  • the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of software products, and the computer software products are stored in a storage medium.
  • several instructions are included to make a computer device (which may be a personal computer, a terminal, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

An embodiment of the present invention relates to the technical field of Internet of Things. Disclosed are an Internet of Things directional access management and control method and system. The method comprises: if an Internet of Things terminal receives an application access request, intercepting the application access request by means of an authentication SDK and extracting application information; according to the application information, determining whether an application is present in a local cache of the authentication SDK; if the application is not present in the local cache of the authentication SDK, sending the application information to an Internet of Things platform for dual authentication, and marking the application access request corresponding to the application information which passes dual authentication; and sending all application access requests to a network resource module so as to enable the network resource module to determine whether to switch on. By means of marking the application access request that has passed dual authentication and taking same as the basis for a network element to switch on, the time a user spends performing directional repeated configuration is shortened, and the matching time of the network element is also shortened, thus increasing the efficiency of data transmission and access of the application.

Description

物联网定向访问管控方法与系统Internet of things directional access control method and system 技术领域technical field
本发明涉及物联网技术领域,尤其涉及一种物联网定向访问管控方法与系统。The present invention relates to the technical field of the Internet of Things, in particular to a method and system for directional access control of the Internet of Things.
背景技术Background technique
目前,定向物联网的访问控制一般是通过在网关上进行定向访问配置,实现客户设备对互联网服务定向访问的放通。为了订购定向访问服务,客户须根据客户设备提供各种应用服务,并配置一系列定向访问目标,而配置和管理这些定向访问目标比较繁琐,网元的管控匹配也比较麻烦,同时客户对定向访问目标的获取也比较麻烦。例如,大多物联网设备安装使用多种相同的应用,同时也存在不同应用访问相同的互联网服务,如车联网企业的视听服务可能多会接入百度导航、高德导航、腾讯视频、QQ音乐等第三方APP。由于在网络上定向访问配置是客户级的配置,为了放通不同客户不同设备的这些应用,很多相同的定向配置需要被重复设置且定向地址个数受限制;导致运营商需要在网元上花时间做客户级定向的重复配置,耗费网元的匹配时间,导致应用的数据传输和访问的效率低下。At present, the access control of the directional Internet of Things is generally through the directional access configuration on the gateway to realize the release of the directional access of the client equipment to the Internet service. In order to order targeted access services, customers must provide various application services based on customer equipment and configure a series of targeted access targets. However, it is cumbersome to configure and manage these targeted access targets, and the control and matching of network elements is also troublesome. The acquisition of the target is also more troublesome. For example, most IoT devices install and use a variety of the same applications, and there are also different applications accessing the same Internet services. For example, the audio-visual services of Internet of Vehicles companies may often access Baidu Navigation, AutoNavi, Tencent Video, QQ Music, etc. Third-party apps. Since the directional access configuration on the network is a customer-level configuration, many of the same directional configurations need to be set repeatedly and the number of directional addresses is limited in order to allow these applications of different customers and different devices; this results in operators needing to spend on network elements It takes time to do repeated configuration of customer-level orientation, which consumes the matching time of network elements, resulting in low efficiency of application data transmission and access.
发明内容Contents of the invention
本发明实施例提供了一种物联网定向访问管控方法与系统,旨在解决现有物联网定向访问管控方法导致应用的数据传输和访问的效率低下的问题。Embodiments of the present invention provide a method and system for directional access control of the Internet of Things, aiming at solving the problem of inefficiency in data transmission and access of applications caused by existing directional access control methods of the Internet of Things.
第一方面,本发明实施例提供了一种物联网定向访问管控方法,应用于物联网定向访问管控系统,所述物联网定向访问管控系统包括物联网终端、物联网平台以及网络资源模块,所述物联网终端包括认证SDK,所述认证SDK中缓存有已经访问过的应用信息以及应用标识;所述方法包括:若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求;根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中;若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标;若所述应用不存在于所述认证SDK的本地缓存 中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标;将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。In the first aspect, the embodiment of the present invention provides a method for directional access management and control of the Internet of Things, which is applied to a directional access management and control system of the Internet of Things. The directional access management and control system of the Internet of Things includes an Internet of Things terminal, an Internet of Things platform, and a network resource module. The IoT terminal includes an authentication SDK, and the authentication SDK has cached application information and application identifiers that have been accessed; the method includes: if the IoT terminal receives an application access request, intercepting the An application access request and extracting the application information, wherein the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if In the local cache of the authentication SDK, the application uses the application identifier corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, the application The information is sent to the Internet of Things platform to enable the Internet of Things platform to perform double authentication, and the application access request corresponding to the application information that has passed the double authentication is marked with the corresponding application identification; all the application access requests Send to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is an application configured for pre-directed access.
第二方面,本发明实施例还提供了一种物联网定向访问管控系统,该系统包括:物联网终端、物联网平台以及网络资源,所述物联网终端包括认证SDK,所述物联网终端、物联网平台以及网络资源之间相互通信以共同实现上述的方法。In the second aspect, the embodiment of the present invention also provides a directional access management and control system for the Internet of Things, the system includes: an Internet of Things terminal, an Internet of Things platform, and network resources, the Internet of Things terminal includes an authentication SDK, and the Internet of Things terminal, The Internet of Things platform and network resources communicate with each other to realize the above method together.
本发明实施例提供了一种物联网定向访问管控方法与系统,其中所述方法包括:若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求;根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中;若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标;若所述应用不存在于所述认证SDK的本地缓存中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标;将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。在保留通过定向访问配置管控应用访问网络的基础上,通过设置为通过双重认证的应用访问请求进行打标并作为网元放通的依据,减少了用户进行定向重复配置的时间,同时也缩减了网元的匹配时间,提高应用的数据传输和访问的效率。An embodiment of the present invention provides a method and system for directional access management and control of the Internet of Things, wherein the method includes: if the Internet of Things terminal receives an application access request, intercepting the application access request through the authentication SDK and extracting the Application information, wherein the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if the application is in the authentication SDK's In the local cache, use the application identifier corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, send the application information to the IoT The platform enables the Internet of Things platform to perform double authentication, and marks the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification; sends all the application access requests to the network resource module , so that the network resource module judges whether to allow access according to whether the application access request is marked and whether the application is configured for pre-directed access. On the basis of retaining the directional access configuration to control application access to the network, by setting the application access request through two-factor authentication to be marked and used as the basis for network element release, the time for users to perform directional and repeated configuration is reduced, and at the same time The matching time of network elements improves the efficiency of application data transmission and access.
附图说明Description of drawings
为了更清楚地说明本发明实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are some embodiments of the present invention. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.
图1为本发明实施例提供的一种物联网定向访问管控系统的架构示意图;FIG. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention;
图2为本发明实施例提供的一种物联网定向访问管控方法的流程示意图;FIG. 2 is a schematic flowchart of a method for directional access control of the Internet of Things provided by an embodiment of the present invention;
图3为本发明实施例提供的一种物联网定向访问管控方法的子流程示意图;FIG. 3 is a schematic subflow diagram of a method for directional access control of the Internet of Things provided by an embodiment of the present invention;
图4为本发明实施例提供的一种物联网定向访问管控方法的子流程示意图;FIG. 4 is a schematic subflow diagram of a method for directional access control of the Internet of Things provided by an embodiment of the present invention;
图5为本发明实施例提供的一种物联网定向访问管控方法中应用访问网络的交互过程示意图。FIG. 5 is a schematic diagram of an interaction process of an application accessing a network in a method for directional access control of the Internet of Things provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "comprising" and "comprises" indicate the presence of described features, integers, operations, elements and/or components, but do not exclude one or more The presence or addition of other features, integers, operations, elements, components and/or collections thereof.
还应当理解,在本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terminology used in the description of the present invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the present invention. As used in this specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural referents unless the context clearly dictates otherwise.
还应当理解,在本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terminology used in the description of the present invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the present invention. As used in this specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural referents unless the context clearly dictates otherwise.
还应当进一步理解,在本发明说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。It should also be further understood that the term "and/or" used in the description of the present invention and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations .
如在本说明书和所附权利要求书中所使用的那样,术语“如果”可以依据上下文被解释为“当...时”或“一旦”或“响应于确定”或“响应于检测到”。类似地,短语“如果确定”或“如果检测到[所描述条件或事件]”可以依据上下文被解释为意指“一旦确定”或“响应于确定”或“一旦检测到[所描述条件或事件]”或“响应于检测到[所描述条件或事件]”。As used in this specification and the appended claims, the term "if" may be construed as "when" or "once" or "in response to determining" or "in response to detecting" depending on the context . Similarly, the phrase "if determined" or "if [the described condition or event] is detected" may be construed, depending on the context, to mean "once determined" or "in response to the determination" or "once detected [the described condition or event] ]” or “in response to detection of [described condition or event]”.
本发明实施例提供了一种物联网定向访问管控方法,该方法应用于物联网定向访问管控系统。请参见图1,图1为本发明实施例提供的一种物联网定向访问管控系统的架构示意图。所述物联网定向访问管控系统包括物联网终端、物联网平台以及网络资源模块,所述物联网终端包括应用以及认证SDK,所述物联网平台包括应用管理模块、应用认证模块以及行为库模块,所述网络资源模块包括网元以及互联网服务。An embodiment of the present invention provides a directional access management and control method for the Internet of Things, which is applied to a directional access management and control system for the Internet of Things. Please refer to FIG. 1 . FIG. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention. The Internet of Things directional access control system includes an Internet of Things terminal, an Internet of Things platform, and a network resource module, the Internet of Things terminal includes an application and an authentication SDK, and the Internet of Things platform includes an application management module, an application authentication module, and a behavior library module, The network resource module includes network elements and Internet services.
其中,认证SDK用于拦截应用访问请求并提取应用信息,为通过双重验证的应用 请求进行打标,缓存已经访问过的应用信息以及应用标识等,其中应用标识是指用于唯一标识应用的应用ID,应用信息是指应用的特性以及应用的访问行为例如包括应用名、应用版本、应用大小、目录结构、目标地址、服务链接等。物联网平台中的应用管理模块用于管理注册应用,将注册的应用信息存储到应用管理模块中。应用认证模块对已经在应用管理模块中注册的应用信息进行注册认证。行为库模块用于对经过注册认证的应用信息进行访问行为认证并建立正常访问行为记录。网元用于根据应用访问请求判断是否放通该应用访问请求对应的报文来访问互联网服务。Among them, the authentication SDK is used to intercept application access requests and extract application information, mark application requests that have passed the double verification, and cache the application information and application identification that have been accessed. The application identification refers to the application used to uniquely identify the application ID, application information refers to the characteristics of the application and the access behavior of the application, such as application name, application version, application size, directory structure, target address, service link, etc. The application management module in the IoT platform is used to manage registered applications, and store the registered application information in the application management module. The application authentication module registers and authenticates the application information registered in the application management module. The behavior library module is used to authenticate the access behavior of registered and authenticated application information and establish normal access behavior records. The network element is used to judge whether to allow the packet corresponding to the application access request to access the Internet service according to the application access request.
请参见图5,其为本发明实施例提供的一种物联网定向访问管控方法中应用访问网络的交互过程示意图,图中APPId为应用标识。Please refer to FIG. 5 , which is a schematic diagram of an interaction process of an application accessing a network in a method for directional access control of the Internet of Things provided by an embodiment of the present invention, in which APPId is an application identifier.
在应用访问网络之前,需由用户通过用户端在物联网平台对应用进行注册或通过物联网平台将应用定向访问配置信息存储于网元中。该注册过程具体可包括如下步骤S1A-S1B:Before the application accesses the network, the user needs to register the application on the Internet of Things platform through the client or store the application directional access configuration information in the network element through the Internet of Things platform. The registration process may specifically include the following steps S1A-S1B:
S1A,若所述物联网平台接收到由用户端发送的应用注册请求,提取所述注册请求中的应用信息存储于所述应用管理模块中。S1A, if the IoT platform receives an application registration request sent by the client, extract the application information in the registration request and store it in the application management module.
具体实施中,若所述物联网平台接收到由用户端发送的应用注册请求,提取所述注册请求中的应用信息存储于所述应用管理模块中。在一实施例中,对通过认证打标访问网络资源的应用需要用户提前将该应用信息向物联网平台进行注册,以便后续通过应用认证模块的注册认证。In a specific implementation, if the IoT platform receives an application registration request sent by the client, it extracts the application information in the registration request and stores it in the application management module. In one embodiment, the application that accesses network resources through authentication marking requires the user to register the application information with the Internet of Things platform in advance, so as to pass the registration authentication of the application authentication module subsequently.
S1B,若所述物联网平台接收到由用户端发送的应用定向访问配置请求,提取应用定向访问配置请求中的应用定向访问配置信息存储于所述网元中。S1B, if the IoT platform receives an application-oriented access configuration request sent by the client, extract the application-oriented access configuration information in the application-oriented access configuration request and store it in the network element.
具体实施中,若所述物联网平台接收到由用户端发送的应用定向访问配置请求,提取应用定向访问配置请求中的应用定向访问配置信息存储于所述网元中。具体地,在一实施例中,保留应用通过定向访问配置的方式访问网络资源,故对于用户有特殊需要的应用,用户可提前将该应用的定向访问配置信息存储于网元中,以便后续网元根据定向访问配置信息放通该应用对网络资源的访问。In a specific implementation, if the IoT platform receives an application-oriented access configuration request sent by a client, it extracts the application-oriented access configuration information in the application-oriented access configuration request and stores it in the network element. Specifically, in one embodiment, reserved applications access network resources through directional access configuration, so for applications with special needs for users, users can store the directional access configuration information of the applications in network elements in advance, so that subsequent network The element allows the application to access network resources according to the directional access configuration information.
步骤S1A-S1B完成之后,则物联网终端可对接收应用访问请求进行处理。下面将结合图5,详细说明本发明实施例物联网定向访问管控方法的具体实现过程。如图2所示,本发明的方法包括以下步骤S1-S6。After steps S1A-S1B are completed, the IoT terminal can process the received application access request. The specific implementation process of the Internet of Things directional access management and control method according to the embodiment of the present invention will be described in detail below with reference to FIG. 5 . As shown in Fig. 2, the method of the present invention includes the following steps S1-S6.
S1,若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息。S1. If the IoT terminal receives an application access request, intercept the application access request through the authentication SDK and extract the application information.
具体实施中,若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求。具体地,物联网终端上装了APP1、APP2、APP3、APP4四个应用,其中APP1、APP2在物联网平台上预先注册过,且APP1曾访问过网络资源。APP3、APP4未在物联网平台上预先注册,但APP3在网元预先配置了定向访问配置信息,在一实施例中,APP1、APP2、APP3、APP4四个应用均向物联网终端发起应用访问请求。In specific implementation, if the IoT terminal receives an application access request, the authentication SDK intercepts the application access request and extracts the application information, wherein the application access request includes at least one access request initiated by the application ask. Specifically, four applications APP1, APP2, APP3, and APP4 are installed on the Internet of Things terminal, wherein APP1 and APP2 have been pre-registered on the Internet of Things platform, and APP1 has accessed network resources. APP3 and APP4 are not pre-registered on the IoT platform, but APP3 has pre-configured directional access configuration information on the network element. In one embodiment, the four applications APP1, APP2, APP3, and APP4 all initiate application access requests to the IoT terminal .
S2,根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中。S2. Determine whether the application exists in the local cache of the authentication SDK according to the application information.
具体实施中,根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中。具体地,在一实施例中,对于已经访问过网络资源的应用,其应用信息以及应用标识均缓存于认证SDK以便于下次该应用访问时使用。In a specific implementation, it is judged according to the application information whether the application exists in the local cache of the authentication SDK. Specifically, in one embodiment, for an application that has accessed network resources, its application information and application identification are cached in the authentication SDK for use when the application accesses the next time.
S3,若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标。S3. If the application is in the local cache of the authentication SDK, mark the application access request with the application identifier corresponding to the application.
具体实施中,若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标。具体地,在一实施例中,APP1曾访问过网络资源,故APP1的应用信息以及应用标识缓存于认证SDK的本地缓存中,当判断APP1在认证SDK的本地缓存中,使用缓存的APP1的应用标识对APP1的访问请求进行打标。避免了应用每次访问网络资源都要经过物联网平台的认证,从而提高了应用访问网络资源的速度及效率。In a specific implementation, if the application is in the local cache of the authentication SDK, the application access request is marked with the application identifier corresponding to the application. Specifically, in one embodiment, APP1 has accessed network resources, so the application information and application ID of APP1 are cached in the local cache of the authentication SDK. When it is determined that APP1 is in the local cache of the authentication SDK, the application using the cached APP1 The identifier marks the access request of APP1. It avoids the authentication of the Internet of Things platform every time an application accesses network resources, thereby improving the speed and efficiency of application access to network resources.
S4,若所述应用不存在于所述认证SDK的本地缓存中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证。S4. If the application does not exist in the local cache of the authentication SDK, send the application information to the IoT platform to enable the IoT platform to perform double authentication.
具体实施中,若所述应用不存在于所述认证SDK的本地缓存中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证。具体地,在一实施例中,将APP2、APP3以及APP4所对应的应用信息发送给物联网平台进行双重认证。In a specific implementation, if the application does not exist in the local cache of the authentication SDK, the application information is sent to the IoT platform so that the IoT platform performs double authentication. Specifically, in one embodiment, the application information corresponding to APP2, APP3 and APP4 is sent to the Internet of Things platform for double authentication.
在一实施例中,所述物联网平台包括应用认证模块以及行为库模块,请参见图3,所述双重认证包括:步骤S41~S43。In one embodiment, the Internet of Things platform includes an application authentication module and a behavior library module, please refer to FIG. 3 , and the dual authentication includes: steps S41-S43.
S41,所述应用认证模块对接收到的所述应用信息进行注册认证。S41. The application authentication module performs registration authentication on the received application information.
具体实施中,所述应用认证模块对接收到的所述应用信息进行注册认证。具体地,所述物联网平台还包括应用管理模块,所述应用管理模块中存储有用户注册的应用信息,所述应用认证模块将所述应用信息与所述应用管理模块中的用户注册的应用信息进行比对;若比对成功则注册认证通过,若比对不成功则注册认证失败。在一实施例中,物 联网平台对APP2、APP3以及APP4所对应的应用信息进行注册认证,因APP2在物联网平台上预先注册过,故应用管理模块中有APP2注册的应用信息,则APP2的应用信息比对成功,注册认证通过;因APP3、APP4未在物联网平台上预先注册,故APP3、APP4注册认证失败。In a specific implementation, the application authentication module performs registration authentication on the received application information. Specifically, the IoT platform further includes an application management module, which stores application information registered by the user, and the application authentication module combines the application information with the application information registered by the user in the application management module. The information is compared; if the comparison is successful, the registration authentication is passed, and if the comparison is unsuccessful, the registration authentication fails. In one embodiment, the Internet of Things platform registers and authenticates the application information corresponding to APP2, APP3, and APP4. Because APP2 has been pre-registered on the Internet of Things platform, there is application information registered by APP2 in the application management module. The application information comparison is successful, and the registration authentication is passed; because APP3 and APP4 are not pre-registered on the IoT platform, the registration authentication of APP3 and APP4 fails.
S42,若所述注册认证通过,则所述应用认证模块将所述应用信息发送给所述行为库模块进行访问行为认证。S42. If the registration authentication passes, the application authentication module sends the application information to the behavior library module for access behavior authentication.
具体实施中,若所述注册认证通过,则所述应用认证模块将所述应用信息发送给所述行为库模块进行访问行为认证。具体地,在一实施例中,所述行为库模块中存储有正常访问行为记录,所述行为库模块查找所述应用信息是否存在于所述正常访问行为记录中;若所述应用信息在所述正常访问行为记录中则通过所述访问行为认证,若所述应用信息不存在于所述正常访问行为记录中则所述访问行为认证失败。In a specific implementation, if the registration authentication passes, the application authentication module sends the application information to the behavior library module for access behavior authentication. Specifically, in one embodiment, the behavior library module stores normal access behavior records, and the behavior library module searches whether the application information exists in the normal access behavior records; if the application information is in the If the application information does not exist in the normal access behavior record, then the access behavior authentication fails.
S43,若所述行为认证通过则确定所述应用信息通过双重认证。S43. If the behavior authentication passes, determine that the application information passes double authentication.
具体实施中,若所述行为认证通过则确定所述应用信息通过双重认证。具体地,在应用信息注册认证通过后再经过行为库模块进行访问行为认证进行加强认证,以防止不在正常访问行为记录中的APP对网络资源进行访问。在一实施例中,APP2的应用信息在正常访问行为记录中,故APP2通过双重认证。In a specific implementation, if the behavior authentication is passed, it is determined that the application information has passed two-factor authentication. Specifically, after the application information registration authentication is passed, the access behavior authentication is performed through the behavior library module to strengthen the authentication, so as to prevent APPs that are not in the normal access behavior records from accessing network resources. In one embodiment, the application information of APP2 is in the normal access behavior record, so APP2 passes the two-factor authentication.
需要说明的是,在应用经过注册认证之后,所述行为库模块接收所述应用信息并存储以用于建立正常访问行为记录。正常访问行为记录为不断更新的历史数据,根据应用信息中应用访问的目标地址或服务链接所建立,用户可根据实际情况来进行设定。在一实施例中,定义在大量重复访问的目标地址中出现从未访问过的目标地址,则将该目标地址对应的应用信息列入应用异常访问行为记录里;在大量重复访问的目标地址中出现概率为50%以上的目标访问地址为正常的目标地址;出现概率低于20%的目标访问地址为异常访问地址,其对应的应用信息列入应用异常访问行为记录里;出现概率为20%-50%的目标访问地址为存疑目标地址,存疑目标地址对应的应用信息可以在一定时间内通过访问行为认证,后续可进行人工审核或者定期系统自动审核。It should be noted that after the application is registered and authenticated, the behavior library module receives the application information and stores it for establishing a normal access behavior record. Normal access behavior records are continuously updated historical data, which are established according to the target address or service link of application access in the application information, and users can set it according to the actual situation. In one embodiment, it is defined that if a target address that has never been visited appears in a large number of target addresses that are repeatedly accessed, the application information corresponding to the target address is listed in the application abnormal access behavior record; in a large number of target addresses that are repeatedly accessed A target access address with a probability of occurrence of more than 50% is a normal target address; a target access address with a probability of occurrence of less than 20% is an abnormal access address, and its corresponding application information is included in the application abnormal access behavior record; the occurrence probability is 20% -50% of the target access addresses are suspicious target addresses, and the application information corresponding to the suspicious target addresses can pass the access behavior authentication within a certain period of time, and subsequent manual audits or regular system automatic audits can be performed.
S5,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标。S5. Mark the application access request corresponding to the application information that has passed the double authentication using the corresponding application identifier.
具体实施中,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标。具体地,在一实施例中,若所述应用信息通过所述双重认证,所述应用认证模块生成与通过所述双重认证的应用信息对应的应用标识,并将该应用标识返回 至所述认证SDK。进一步地,所述认证SDK将通过所述双重认证后的所述应用信息以及对应应用标识缓存至所述认证SDK的本地缓存中。In a specific implementation, the application access request corresponding to the application information that has passed the double authentication is marked with the corresponding application identification. Specifically, in one embodiment, if the application information passes the double authentication, the application authentication module generates an application identifier corresponding to the application information that passes the double authentication, and returns the application identifier to the authentication SDK. Further, the authentication SDK caches the application information and the corresponding application identifier after passing the double authentication into a local cache of the authentication SDK.
在一实施例中,APP2通过双重认证后应用认证模块生成对应的APPId返回至认证SDK,认证SDK使用该APPId对APP2对应的应用访问请求进行打标并将APP2的应用信息以及应用标识缓存至认证SDK的本地缓存中,以便APP2下次访问时,在认证SDK的本地缓存中查询APP2的应用信息以及使用APP2的应用标识对APP2的应用访问请求进行打标。In one embodiment, after APP2 has passed two-factor authentication, the application authentication module generates the corresponding APPId and returns it to the authentication SDK. The authentication SDK uses the APPId to mark the application access request corresponding to APP2 and caches the application information and application identifier of APP2 to the authentication SDK. SDK's local cache, so that when APP2 visits next time, it will query APP2's application information in the authentication SDK's local cache and use APP2's application ID to mark APP2's application access request.
S6,将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。S6. Send all the application access requests to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is an application configured for pre-directed access.
具体实施中,将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。具体地,对于认证失败而未打标的APP3与APP4的应用访问请求直接发送给网络资源模块,而将APP1与APP2打标后的应用访问请求发送给网络资源模块。In a specific implementation, all the application access requests are sent to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is a pre-directed access configuration application . Specifically, the application access requests of APP3 and APP4 that fail to be authenticated but not marked are directly sent to the network resource module, while the marked application access requests of APP1 and APP2 are sent to the network resource module.
在一实施例中,在保留应用通过定向访问配置的原始方式访问网络资源的基础上,增加了应用通过打标认证的方式访问网络资源,故网络资源模块根据应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。In one embodiment, on the basis of retaining the original way for applications to access network resources through directional access configuration, an application access to network resources through marking and authentication is added. Therefore, the network resource module marks and the application Whether it is an application configured for pre-directed access to determine whether to allow it.
在一实施例中,所述网络资源模块包括网元以及互联网服务,请参见图4,所述步骤S6包括:步骤S61~S65。In an embodiment, the network resource module includes network elements and Internet services, please refer to FIG. 4 , and the step S6 includes: steps S61-S65.
S61,所述网元检测所有所述应用访问请求是否打标。S61. The network element detects whether all the application access requests are marked.
具体实施中,所述网元检测所有所述应用访问请求是否打标。具体地,在一实施例中,经过打标的应用访问请求为预先在物联网平台侧注册的应用的应用访问请求。In a specific implementation, the network element detects whether all the application access requests are marked. Specifically, in an embodiment, the marked application access request is an application access request of an application registered in advance on the IoT platform side.
S62,若所述应用访问请求已打标则放通该应用访问请求的报文至所述互联网服务。S62. If the application access request has been marked, release the packet of the application access request to the Internet service.
具体实施中,若所述应用访问请求已打标则放通该应用访问请求的报文至所述互联网服务。具体地,在一实施例中,APP1与APP2的应用访问请求在经过上述步骤的处理后发送至网元为打标的应用访问请求,故网元放通APP1与APP2的应用访问请求的报文至所述互联网服务。In a specific implementation, if the application access request has been marked, the packet of the application access request is released to the Internet service. Specifically, in one embodiment, the application access requests of APP1 and APP2 are sent to the network element after processing the above steps to mark the application access request, so the network element releases the application access request messages of APP1 and APP2 to said Internet service.
S63,若所述应用访问请求未打标则判断该应用是否为预先定向访问配置的应用。S63. If the application access request is not marked, determine whether the application is an application configured for pre-directed access.
具体实施中,若所述应用访问请求未打标则判断该应用是否为预先定向访问配置的应用。具体地,在一实施例中,APP3与APP4注册认证失败,故APP3与APP4的的应 用访问请求经过上述步骤的处理后发送至网元未打标的应用访问请求,故需进一步判断该应用是否为预先定向访问配置的应用。In a specific implementation, if the application access request is not marked, it is judged whether the application is an application configured for pre-directed access. Specifically, in one embodiment, the registration and authentication of APP3 and APP4 failed, so the application access requests of APP3 and APP4 are processed by the above steps and then sent to the unmarked application access request of the network element, so it is necessary to further determine whether the application Apps configured for pre-directed access.
S64,若该应用为预先定向访问配置的应用则放通该应用访问请求的报文至所述互联网服务。S64. If the application is configured for pre-directed access, release the application access request packet to the Internet service.
具体实施中,若该应用为预先定向访问配置的应用则放通该应用访问请求的报文至所述互联网服务。具体地,在一实施例中,APP3在网元预先配置了定向访问配置信息,故网元放通APP3的应用访问请求的报文至所述互联网服务。In a specific implementation, if the application is configured for pre-directed access, the packet of the application access request is released to the Internet service. Specifically, in one embodiment, APP3 pre-configures directional access configuration information on the network element, so the network element releases the application access request message of APP3 to the Internet service.
S65,若该应用非预先定向访问配置的应用则阻断该应用访问请求的报文。S65, if the application is not an application configured with pre-directed access, block the packet of the application access request.
具体实施中,若该应用非预先定向访问配置的应用且所述应用访问请求未打标则阻断该应用访问请求的报文至所述互联网服务。具体地,在一实施例中,APP4未在网元预先配置定向访问配置信息且APP4的应用访问请求未打标,则网元阻断该应用访问请求的报文至所述互联网服务。In a specific implementation, if the application is not a pre-directed access configuration application and the application access request is not marked, the packet of the application access request is blocked from being sent to the Internet service. Specifically, in one embodiment, APP4 does not pre-configure directional access configuration information on the network element and the application access request of APP4 is not marked, then the network element blocks the packet of the application access request to the Internet service.
本发明实施例提供了一种物联网定向访问管控方法,该方法包括:若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求;根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中;若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标;若所述应用不存在于所述认证SDK的本地缓存中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标;将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。在保留通过定向访问配置管控应用访问网络的基础上,通过设置为通过双重认证的应用访问请求进行打标并作为网元放通的依据,减少了用户进行定向重复配置的时间,同时也缩减了网元的匹配时间,提高应用的数据传输和访问的效率。An embodiment of the present invention provides a method for directional access control of the Internet of Things, the method includes: if the Internet of Things terminal receives an application access request, intercepting the application access request through the authentication SDK and extracting the application information, wherein , the application access request includes at least one access request initiated by the application; judging whether the application exists in the local cache of the authentication SDK according to the application information; if the application is in the local cache of the authentication SDK, Use the application identification corresponding to the application to mark the application access request; if the application does not exist in the local cache of the authentication SDK, send the application information to the Internet of Things platform to enable the The Internet of Things platform performs double authentication, and uses the corresponding application identifier to mark the application access request corresponding to the application information that has passed the double authentication; sends all the application access requests to the network resource module, so that all The network resource module judges whether to allow access according to whether the application access request is marked and whether the application is configured for pre-directed access. On the basis of retaining the directional access configuration to control application access to the network, by setting the application access request through two-factor authentication to be marked and used as the basis for network element release, the time for users to perform directional and repeated configuration is reduced, and at the same time The matching time of network elements improves the efficiency of application data transmission and access.
图1是本发明实施例提供的一种物联网定向访问管控系统的架构示意图。如图1所示,对应于以上物联网定向访问管控方法,本发明还提供一种物联网定向访问管控系统。具体地,请参阅图1,该系统包括:物联网终端10、物联网平台20以及网络资源模块30,所述物联网终端10包括认证SDK12以及应用11,所述物联网平台20包括应用管理模块21、应用认证模块22以及行为库模块23,所述网络资源模块30包括网元31以及互联网服务32。所述物联网终端10、物联网平台20以及网络资源模块30之间相互 通信以共同实现上述物联网定向访问管控方法。Fig. 1 is a schematic diagram of an architecture of an Internet of Things directional access management and control system provided by an embodiment of the present invention. As shown in FIG. 1 , corresponding to the above method for managing and controlling directional access to the Internet of Things, the present invention also provides a system for controlling directional access to the Internet of Things. Specifically, referring to Fig. 1, the system includes: an Internet of Things terminal 10, an Internet of Things platform 20 and a network resource module 30, the Internet of Things terminal 10 includes an authentication SDK 12 and an application 11, and the Internet of Things platform 20 includes an application management module 21. An application authentication module 22 and a behavior library module 23. The network resource module 30 includes a network element 31 and an Internet service 32. The Internet of Things terminal 10, the Internet of Things platform 20, and the network resource module 30 communicate with each other to jointly implement the above-mentioned Internet of Things directional access control method.
所述物联网终端10用于若所述物联网终端10接收到应用访问请求,通过所述认证SDK12拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求;根据所述应用信息判断所述应用是否存在于所述认证SDK12的本地缓存中;若所述应用在认证SDK12的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标;若所述应用不存在于所述认证SDK12的本地缓存中,将所述应用信息发送给所述物联网平台20以使所述物联网平台20进行双重认证,对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标;将所有所述应用访问请求发送至所述网络资源模块30以使所述网络资源模块30根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。The IoT terminal 10 is configured to, if the IoT terminal 10 receives an application access request, intercept the application access request through the authentication SDK12 and extract the application information, wherein the application access request includes at least one of the The access request initiated by the application; judge whether the application exists in the local cache of the authentication SDK12 according to the application information; if the application is in the local cache of the authentication SDK12, use the application identification corresponding to the application to The application access request is marked; if the application does not exist in the local cache of the authentication SDK12, the application information is sent to the Internet of Things platform 20 so that the Internet of Things platform 20 performs double authentication, mark the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification; send all the application access requests to the network resource module 30 so that the network resource module 30 can use the corresponding Whether the application access request is marked and whether the application is a pre-directed access configuration application determines whether it is allowed.
在一实施例中,所述物联网平台20包括应用认证模块22以及行为库模块23;所述物联网平台20还用于:所述应用认证模块22用于对接收到的所述应用信息进行注册认证;若所述注册认证通过,则所述应用认证模块22将所述应用信息发送给所述行为库模块23进行访问行为认证;若所述行为认证通过则确定所述应用信息通过双重认证。In one embodiment, the Internet of Things platform 20 includes an application authentication module 22 and a behavior library module 23; the Internet of Things platform 20 is also used for: the application authentication module 22 is used for the application information received Registration authentication; if the registration authentication is passed, the application authentication module 22 sends the application information to the behavior storehouse module 23 for access behavior authentication; if the behavior authentication is passed, then it is determined that the application information passes double authentication .
在一实施例中,所述物联网平台20还包括应用管理模块21,所述应用管理模块21中存储有用户注册的应用信息;所述物联网平台20还用于:所述应用认证模块22用于将所述应用信息与所述应用管理模块21中的用户注册的应用信息进行比对;若比对成功则确定注册认证通过,若比对不成功则确定注册认证失败。In one embodiment, the IoT platform 20 also includes an application management module 21, and the application management module 21 stores the application information registered by the user; the IoT platform 20 is also used for: the application authentication module 22 It is used to compare the application information with the application information registered by the user in the application management module 21; if the comparison is successful, it is determined that the registration authentication is passed; if the comparison is unsuccessful, it is determined that the registration authentication fails.
在一实施例中,所述行为库模块23中存储有正常访问行为记录;所述行为库模块23用于查找所述应用信息是否存在于所述正常访问行为记录中;若所述应用信息存在于所述正常访问行为记录中则确定所述访问行为认证通过,若所述应用信息不存在于所述正常访问行为记录中则确定所述访问行为认证失败。In one embodiment, normal access behavior records are stored in the behavior library module 23; the behavior library module 23 is used to find whether the application information exists in the normal access behavior records; if the application information exists In the normal access behavior record, it is determined that the access behavior authentication is passed, and if the application information does not exist in the normal access behavior record, it is determined that the access behavior authentication fails.
在一实施例中,所述应用认证模块22还用于:若所述应用信息通过所述双重认证,所述应用认证模块22用于生成与通过所述双重认证的应用信息对应的应用标识,并将该应用标识返回至所述认证SDK。In an embodiment, the application authentication module 22 is further configured to: if the application information passes the double authentication, the application authentication module 22 is configured to generate an application identifier corresponding to the application information that passes the double authentication, And return the application identification to the authentication SDK.
在一实施例中,所述认证SDK12用于将通过所述双重认证后的所述应用信息以及对应应用标识缓存至所述认证SDK的本地缓存中。In an embodiment, the authentication SDK 12 is configured to cache the application information and the corresponding application identifier after passing the double authentication into a local cache of the authentication SDK.
在一实施例中,所述网络资源模块30包括网元31以及互联网服务32;其中所述网元31用于检测所有所述应用访问请求是否打标;若所述应用访问请求已打标则放通该 应用访问请求的报文至所述互联网服务32;若所述应用访问请求未打标则判断该应用是否为预先定向访问配置的应用;若该应用为预先定向访问配置的应用则放通该应用访问请求的报文至所述互联网服务32;若该应用非预先定向访问配置的应用则阻断该应用访问请求的报文。In one embodiment, the network resource module 30 includes a network element 31 and an Internet service 32; wherein the network element 31 is used to detect whether all the application access requests are marked; if the application access request has been marked, then Release the message of the application access request to the Internet service 32; if the application access request is not marked, then judge whether the application is an application with pre-directed access configuration; if the application is an application with pre-directed access configuration, release Pass the packet of the application access request to the Internet service 32; if the application is not a pre-directed access configuration application, then block the packet of the application access request.
在一实施例中,所述行为库模块23用于接收所述应用信息并存储以用于建立正常访问行为记录。。In one embodiment, the behavior library module 23 is configured to receive the application information and store it for establishing a normal access behavior record. .
在一实施例中,所述物联网平台20还用于:若所述物联网平台20接收到由用户端发送的应用注册请求,提取所述注册请求中的应用信息存储于所述应用管理模块中;若所述物联网平台20接收到由用户端发送的应用定向访问配置请求,提取应用定向访问配置请求中的应用定向访问配置信息存储于所述网元31中。In one embodiment, the IoT platform 20 is further configured to: if the IoT platform 20 receives an application registration request sent by the client, extract the application information in the registration request and store it in the application management module middle; if the IoT platform 20 receives the application-oriented access configuration request sent by the client, extract the application-oriented access configuration information in the application-oriented access configuration request and store it in the network element 31 .
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the relationship between hardware and software Interchangeability. In the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present invention.
在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的。例如,各个单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。In the several embodiments provided by the present invention, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are illustrative only. For example, the division of each unit is only a logical function division, and there may be another division method in actual implementation. For example, several units or components may be combined or integrated into another system, or some features may be omitted, or not implemented.
本发明实施例方法中的步骤可以根据实际需要进行顺序调整、合并和删减。本发明实施例装置中的单元可以根据实际需要进行合并、划分和删减。另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。The steps in the methods of the embodiments of the present invention can be adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the present invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,终端,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of software products, and the computer software products are stored in a storage medium In the above, several instructions are included to make a computer device (which may be a personal computer, a terminal, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详细描述的部分,可以参见其他实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,尚且本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, even if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention is also intended to include these modifications and variations.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person familiar with the technical field can easily think of various equivalents within the technical scope disclosed in the present invention. Modifications or replacements shall all fall within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

  1. 一种物联网定向访问管控方法,其特征在于,应用于物联网定向访问管控系统,所述物联网定向访问管控系统包括物联网终端、物联网平台以及网络资源模块,所述物联网终端包括认证SDK,所述认证SDK中缓存有已经访问过的应用信息以及应用标识;所述方法包括:A directional access management and control method for the Internet of Things, characterized in that it is applied to a directional access management and control system for the Internet of Things, the directional access management and control system for the Internet of Things includes an Internet of Things terminal, an Internet of Things platform, and a network resource module, and the Internet of Things terminal includes an authentication SDK, cached application information and application identifiers that have been visited in the authentication SDK; the method includes:
    若所述物联网终端接收到应用访问请求,通过所述认证SDK拦截所述应用访问请求并提取所述应用信息,其中,所述应用访问请求包括至少一个所述应用发起的访问请求;If the IoT terminal receives an application access request, the authentication SDK intercepts the application access request and extracts the application information, wherein the application access request includes at least one access request initiated by the application;
    根据所述应用信息判断所述应用是否存在于所述认证SDK的本地缓存中;judging whether the application exists in the local cache of the authentication SDK according to the application information;
    若所述应用在认证SDK的本地缓存中,使用与所述应用对应的应用标识对所述应用访问请求进行打标;If the application is in the local cache of the authentication SDK, use the application identifier corresponding to the application to mark the application access request;
    若所述应用不存在于所述认证SDK的本地缓存中,将所述应用信息发送给所述物联网平台以使所述物联网平台进行双重认证;If the application does not exist in the local cache of the authentication SDK, sending the application information to the IoT platform to enable the IoT platform to perform double authentication;
    对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标;Marking the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification;
    将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通。All the application access requests are sent to the network resource module, so that the network resource module judges whether to allow it according to whether the application access request is marked and whether the application is an application configured for pre-directed access.
  2. 根据权利要求1所述的物联网定向访问管控方法,其特征在于,所述物联网平台包括应用认证模块以及行为库模块;所述物联网平台进行双重认证,包括:The Internet of Things directional access control method according to claim 1, wherein the Internet of Things platform includes an application authentication module and a behavior library module; the Internet of Things platform performs dual authentication, including:
    所述应用认证模块对接收到的所述应用信息进行注册认证;The application authentication module performs registration authentication on the received application information;
    若所述注册认证通过,则所述应用认证模块将所述应用信息发送给所述行为库模块进行访问行为认证;If the registration authentication passes, the application authentication module sends the application information to the behavior library module for access behavior authentication;
    若所述行为认证通过则确定所述应用信息通过双重认证。If the behavior authentication passes, it is determined that the application information passes two-factor authentication.
  3. 根据权利要求2所述的物联网定向访问管控方法,其特征在于,所述物联网平台还包括应用管理模块,所述应用管理模块中存储有用户注册的应用信息;所述应用认证模块对接收到的所述应用信息进行注册认证,包括:The Internet of Things directional access management and control method according to claim 2, wherein the Internet of Things platform further includes an application management module, and the application management module stores application information registered by users; the application authentication module is responsible for receiving Register and authenticate the application information obtained, including:
    所述应用认证模块将所述应用信息与所述应用管理模块中的用户注册的应用信息进行比对;The application authentication module compares the application information with the application information registered by the user in the application management module;
    若比对成功则确定注册认证通过,若比对不成功则确定注册认证失败。If the comparison is successful, it is determined that the registration authentication is passed, and if the comparison is unsuccessful, it is determined that the registration authentication fails.
  4. 根据权利要求3所述的物联网定向访问管控方法,其特征在于,所述行为库模块中存储有正常访问行为记录;所述应用认证模块将所述应用信息发送给所述行为库模块进行访问行为认证,包括:The Internet of Things directional access control method according to claim 3, wherein the behavior library module stores normal access behavior records; the application authentication module sends the application information to the behavior library module for access Conduct certification, including:
    所述行为库模块查找所述应用信息是否存在于所述正常访问行为记录中;The behavior library module searches whether the application information exists in the normal access behavior record;
    若所述应用信息在所述正常访问行为记录中则确定所述访问行为认证通过,若所述应用信息不存在于所述正常访问行为记录中则确定所述访问行为认证失败。If the application information is in the normal access behavior record, it is determined that the access behavior authentication has passed, and if the application information does not exist in the normal access behavior record, it is determined that the access behavior authentication has failed.
  5. 根据权利要求4所述的物联网定向访问管控方法,其特征在于,所述对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标之前,所述方法还包括:The Internet of Things directional access management and control method according to claim 4, characterized in that before marking the application access request corresponding to the application information that has passed the double authentication with the corresponding application identification, the method further includes :
    若所述应用信息通过所述双重认证,所述应用认证模块生成与通过所述双重认证的应用信息对应的应用标识,并将该应用标识返回至所述认证SDK。If the application information passes the double authentication, the application authentication module generates an application identifier corresponding to the application information that passes the double authentication, and returns the application identifier to the authentication SDK.
  6. 根据权利要求5所述的物联网定向访问管控方法,其特征在于,在所述对通过双重认证的所述应用信息所对应的应用访问请求使用对应的应用标识进行打标之后,还包括:The Internet of Things directional access control method according to claim 5, characterized in that, after marking the application access request corresponding to the application information that has passed the double authentication with a corresponding application identification, it further includes:
    所述认证SDK将通过所述双重认证后的所述应用信息以及对应应用标识缓存至所述认证SDK的本地缓存中。The authentication SDK caches the application information and the corresponding application identifier after passing the double authentication into a local cache of the authentication SDK.
  7. 根据权利要求6所述的物联网定向访问管控方法,其特征在于,所述网络资源模块包括网元以及互联网服务;所述将所有所述应用访问请求发送至所述网络资源模块,以使所述网络资源模块根据所述应用访问请求是否打标以及该应用是否为预先定向访问配置的应用判断是否放通,包括:The Internet of Things directional access control method according to claim 6, wherein the network resource module includes network elements and Internet services; and sending all the application access requests to the network resource module, so that all The network resource module judges whether to allow access according to whether the application access request is marked and whether the application is configured for pre-directed access, including:
    所述网元检测所有所述应用访问请求是否打标;The network element detects whether all the application access requests are marked;
    若所述应用访问请求已打标则放通该应用访问请求的报文至所述互联网服务;If the application access request has been marked, release the application access request message to the Internet service;
    若所述应用访问请求未打标则判断该应用是否为预先定向访问配置的应用;If the application access request is not marked, it is judged whether the application is an application configured for pre-directed access;
    若该应用为预先定向访问配置的应用则放通该应用访问请求的报文至所述互联网服务;If the application is an application configured for pre-directed access, the packet of the application access request is released to the Internet service;
    若该应用非预先定向访问配置的应用则阻断该应用访问请求的报文。If the application is not a pre-directed access configuration application, the packet of the application access request is blocked.
  8. 根据权利要求7所述的物联网定向访问管控方法,其特征在于,所述方法还包括:The Internet of Things directional access control method according to claim 7, wherein the method further comprises:
    所述行为库模块接收所述应用信息并存储以用于建立正常访问行为记录。The behavior library module receives the application information and stores it for establishing a normal access behavior record.
  9. 根据权利要求8所述的物联网定向访问管控方法,其特征在于,所述方法还包括:The Internet of Things directional access control method according to claim 8, wherein the method further comprises:
    若所述物联网平台接收到由用户端发送的应用注册请求,提取所述注册请求中的应 用信息存储于所述应用管理模块中;If the IoT platform receives an application registration request sent by the client, extract the application information in the registration request and store it in the application management module;
    若所述物联网平台接收到由用户端发送的应用定向访问配置请求,提取应用定向访问配置请求中的应用定向访问配置信息存储于所述网元中。If the Internet of Things platform receives the application-oriented access configuration request sent by the client, it extracts the application-oriented access configuration information in the application-oriented access configuration request and stores it in the network element.
  10. 一种物联网定向访问管控系统,其特征在于,包括:物联网终端、物联网平台以及网络资源模块,所述物联网终端包括认证SDK,所述物联网终端、物联网平台以及网络资源模块之间相互通信以共同实现权利要求1-9任一项所述的方法。A directional access control system for the Internet of Things, characterized in that it includes: an Internet of Things terminal, an Internet of Things platform, and a network resource module, the Internet of Things terminal includes an authentication SDK, and the Internet of Things terminal, the Internet of Things platform, and the network resource module communicate with each other to jointly implement the method described in any one of claims 1-9.
PCT/CN2022/140374 2021-12-30 2022-12-20 Internet of things directional access management and control method and system WO2023125147A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111647370.0 2021-12-30
CN202111647370.0A CN114338177B (en) 2021-12-30 2021-12-30 Directional access control method and system for Internet of things

Publications (1)

Publication Number Publication Date
WO2023125147A1 true WO2023125147A1 (en) 2023-07-06

Family

ID=81017610

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/140374 WO2023125147A1 (en) 2021-12-30 2022-12-20 Internet of things directional access management and control method and system

Country Status (2)

Country Link
CN (1) CN114338177B (en)
WO (1) WO2023125147A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338177B (en) * 2021-12-30 2023-07-21 天翼物联科技有限公司 Directional access control method and system for Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200092701A1 (en) * 2018-09-14 2020-03-19 Afero, Inc. Apparatus and method for registering and associating internet of things (iot) devices with anonymous iot device accounts
CN111225075A (en) * 2019-11-12 2020-06-02 中盈优创资讯科技有限公司 Configuration method and device for Internet of things directional access service
CN113539523A (en) * 2021-07-19 2021-10-22 浪潮云信息技术股份公司 Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN114338177A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 Directional access control method and system for Internet of things

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110202989A1 (en) * 2010-02-18 2011-08-18 Nokia Corporation Method and apparatus for providing authentication session sharing
CN104767715B (en) * 2014-01-03 2018-06-26 华为技术有限公司 Access control method and equipment
US20180232514A1 (en) * 2016-02-03 2018-08-16 Averon Us, Inc. Method and apparatus for facilitating access to a device utilizing frictionless two-factor authentication
US10771468B1 (en) * 2016-11-29 2020-09-08 Amazon Technologies, Inc. Request filtering and data redaction for access control
CN110770695B (en) * 2017-06-16 2024-01-30 密码研究公司 Internet of things (IOT) device management
US11153309B2 (en) * 2018-03-13 2021-10-19 At&T Mobility Ii Llc Multifactor authentication for internet-of-things devices
CN108737381B (en) * 2018-04-23 2021-11-16 厦门盛华电子科技有限公司 Extension authentication method of Internet of things system
CN110535880B (en) * 2019-09-25 2022-06-14 四川师范大学 Access control method and system of Internet of things
CN111224952B (en) * 2019-12-24 2022-06-03 中移(杭州)信息技术有限公司 Network resource acquisition method and device for directional flow and storage medium
CN113343196A (en) * 2021-06-01 2021-09-03 永旗(北京)科技有限公司 Internet of things security authentication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200092701A1 (en) * 2018-09-14 2020-03-19 Afero, Inc. Apparatus and method for registering and associating internet of things (iot) devices with anonymous iot device accounts
CN111225075A (en) * 2019-11-12 2020-06-02 中盈优创资讯科技有限公司 Configuration method and device for Internet of things directional access service
CN113539523A (en) * 2021-07-19 2021-10-22 浪潮云信息技术股份公司 Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN114338177A (en) * 2021-12-30 2022-04-12 天翼物联科技有限公司 Directional access control method and system for Internet of things

Also Published As

Publication number Publication date
CN114338177A (en) 2022-04-12
CN114338177B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
US8935419B2 (en) Filtering device for detecting HTTP request and disconnecting TCP connection
US7982595B2 (en) Network policy evaluation
US10326730B2 (en) Verification of server name in a proxy device for connection requests made using domain names
US9490986B2 (en) Authenticating a node in a communication network
US20140020067A1 (en) Apparatus and method for controlling traffic based on captcha
US11509665B2 (en) System, method and computer readable medium for message authentication to subscribers of an internet service provider
US20190075098A1 (en) Computer readable storage media for legacy integration and methods and systems for utilizing same
US20060143301A1 (en) Systems and methods for establishing and validating secure network sessions
WO2021027600A1 (en) Single log-in method, apparatus and device, and computer-readable storage medium
US10375099B2 (en) Network device spoofing detection for information security
US20190036926A1 (en) Network Device Location Information Validation For Access Control and Information Security
US11190515B2 (en) Network device information validation for access control and information security
US10873497B2 (en) Systems and methods for maintaining communication links
US10992643B2 (en) Port authentication control for access control and information security
US20230328063A1 (en) Method for Determining Trusted Terminal and Related Apparatus
CN112615810B (en) Access control method and device
WO2023125147A1 (en) Internet of things directional access management and control method and system
CN113992387B (en) Resource management method, device, system, electronic equipment and readable storage medium
CN113297629B (en) Authentication method, device, system, electronic equipment and storage medium
CN113271285A (en) Method and device for accessing network
JP2005227993A (en) Access authentication method for network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22914401

Country of ref document: EP

Kind code of ref document: A1