Summary of the invention
In view of this, it is intelligence community platform that the present invention, which provides a kind of entirety, main purpose is to solve existing communitySystem equipment cannot be managed collectively, intelligent linkage and data fusion and community do not unify carry out lasting business andThe platform channel of Service Operation can not bring more convenient problem for resident, manager, service side and business etc..
According to the present invention on one side, providing a kind of entirety is intelligence community platform, comprising:
Community platform management system, third party's access system, public information service system,
The community platform management system is connected with the public information service system, for whole Intranets to connectionEquipment is managed and data are synchronous, and is sent according to the management data and synchrodata to the public information service systemData processing request, the Intranet equipment is can be to the equipment that community security situation is monitored and is managed, and the community is flatPlatform management system is deployed in community network;
Third party's access system is connected with the public information service system, for according to interface list by thirdSquare server-side is accessed according to interface standard, and passes through the third party's service end to public information service system conveyingThe data processing request of access is stored with the third party's service end access information of distinct interface standard in the interface list, withSo that third party's service end is accessed according to the update of third party's service end access information, third party's access system portionIt is deployed on cloud;
The public information service system, for passing through front-end processor system according to the community platform management system and instituteThe data processing request for stating the transmission of third party's access system carries out data processing, and the public information service system deployment is in cloudEnd.
Further, the public information service system includes file subsystem, message subsystem, configuration subsystem, O&MSubsystem, application subsystem,
The file subsystem, image data, audio data, video counts for will be obtained in community by monitoring deviceIt is stored and is inquired according to equal files;The message subsystem, for being divided the message got from community's Internet of ThingsWith management;The configuration subsystem, for being carried out to the whole Intranet equipment for accessing the community platform management system in communityInformation configuration;The O&M subsystem, for carrying out purview certification to the user for logging in existing community platform, and according to described interiorTotal data in net equipment carries out data analysis and data monitoring;The application subsystem, for being accessed to the third partyThe business application of system access, terminal device are safeguarded;
Wherein, the public information service system is receiving the community platform management system and third party accessAfter the data processing request that system is delivered to, classify according to different business demands to the data processing request, will divideData processing request after class is delivered to corresponding file subsystem, message subsystem, configuration subsystem, O&M subsystem respectivelyIt is handled in system, application subsystem.
Further, the community platform further include: outer net access subsystem, gateway,
The outer net access subsystem is connected with the public information service system, under Internet connectivity stateAccessing external network equipment;The gateway is connected with the public information service system, for passing through Internet of Things fidonetFido access intelligenceHome equipment.
Further, the community platform management system is specifically used for receiving the typing of Intranet equipment based on LAN serverData, and the data are identified according to the Intranet equipment of logging data, and the Intranet is set according to business demandIt is standby to carry out operational administrative, and according to the data after the mark to the Community Database in the community platform management system intoRow data are synchronous, wherein carry out data transmission when the community platform management system is based on LAN server with Intranet equipmentWhen, data encryption is carried out according to AES128S and timestamp mode to the data of transmission.
Further, the public information service system is also used to provide management interface to government end, so that the governmentIt terminates and carries out data query into the public information service system.
Further, third party's access system, is specifically also used to when detecting access request, judges that the access is askedThe identity information of the sender asked;If the sender of the access request is owner, verify whether the owner is with logicalThe access authority of third party's access system is crossed, if being connected to by third party's access system described by verifyingPublic information service system provides hardware access service for the owner;If the sender of the access request is businessman, toThe marketing and Push Service that public information service service provider person's information provides;If the sender of the access request isProperty then by third party's access system to the public information service system request highest access authority, and passes through instituteIt states highest access authority and service management is carried out to the public information service system.
Further, the community platform management system includes intellectualizing system equipment, Community Database, community center's managementServer,
Wherein, community center's management server is connected with the intellectualizing system equipment, Community Database respectively,Classification storage is carried out to institute for receiving the data of the intellectualizing system equipment input, and according to the type of service of the dataIt states in Community Database, wherein the data of the input are according to Account Logon info class data, control instruction class data, systemThe security level of privacy class data carries out the data encryption of different modes;Community center's management server and the public letterBreath service system is connected, for transmitting data to the public information service system.
Further, the public information service system is specifically used for working as third party's access system, the public informationWhen service system carries out data transmission with community center's management server respectively, on-line normalization is judged whether to, if carrying outOn-line normalization is then connected to community center's management server, if mentioning from the Community Database without on-line normalizationAccess evidence.
Further, the community platform further includes alarm module,
The alarm module respectively with the community platform management system, third party's access system, the public letterBreath service system is connected, for alarming when the community platform management system receives abnormal data;And/or whenThird party's access system is verified to send when the sender of access request is abnormal user and be alarmed;And/or when describedIt alarms when the processing of public information service system is to abnormal data.
Further, the community platform further includes internet data management module, with the public information service system phaseConnection, for the data in the public information service system to be uploaded to cloud, end data management of racking of going forward side by side.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
It is intelligence community platform the present invention provides a kind of entirety, comprising: community platform management system, third party access systemSystem, public information service system.It is handled with the data obtained in existing community security only available triangular web,Diversified Managed Solution can not be provided according to community resident's different demands for community security to compare, the embodiment of the present invention passes through publicInformation service system is connected to community platform management system and third party's access system, and the user to be accessed in many ways mentionsExplorative interface has been supplied, has supported the seamless access of each producer's platform, system, hardware, and unite by public information service systemOne management, allotment, automation carry out early warning to dangerous situation, and data are realized dual backup, securely and reliably, and be can provide variousMore convenient and fast high-quality life is created in business and Service Operation.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage canIt is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawingExemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth hereIt is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosureIt is fully disclosed to those skilled in the art.
It is intelligence community platform the embodiment of the invention provides a kind of entirety, as shown in Figure 1, comprising: community platform managementSystem 11, third party's access system 12, public information service system 13,
The community platform management system 11 is connected with the public information service system 13, for the whole to connectionIntranet equipment is managed and data are synchronous, and according to the management data and synchrodata to the public information service system13 send data processing request, and the Intranet equipment is can be described to the equipment that community security situation is monitored and is managedCommunity platform management system 11 is deployed in community network;Third party's access system 12 and the public information service system13 are connected, for being accessed at third party's service end according to interface standard according to interface list, and to the public informationThe conveying of service system 13 by the third party's service terminate into data processing request, be stored with difference in the interface listThe third party's service end access information of interface standard, so that being taken third party according to the update of third party's service end access informationBusiness end is accessed, and third party's access system 12 is deployed in cloud server;The public information service system 13 is usedIn the data sent by front-end processor system according to the community platform management system 11 and third party's access system 12Processing request carries out data processing, and the public information service system 13 is deployed in cloud.
Wherein, whole Intranet equipment that the community platform management system 11 connects may include that the monitoring in community is setAll intellectualizing system equipment in the communities such as standby, access control equipment, such as it is mounted on the monitor camera of different monitoring point in community, withAnd the POS etc. that owner enters, it can also include the intelligent appliance etc. for the owner's household connected by Internet of Things fidonetFido, this hairBright embodiment is not specifically limited.By the data that above-mentioned Intranet equipment acquires, community platform management system 11 can be to above-mentionedIntranet equipment is managed, for example, whether intelligent selection carries out access control, whether utilizes monitor camera progress video monitoringDeng, can also to the collected data of above-mentioned Intranet equipment carry out data be synchronized to the database in community platform management system 11In, or according to management data and synchrodata to the transmission data processing request of public information service system 13, so as to public letterIt ceases service system 13 and provides corresponding community service according to management data and synchrodata.In general, community platform management system11 be the communication bridge between Intranet equipment and public information service system 13, to realize that Intranet equipment and this entirety are wisdom societyData connection between area's platform.
In addition, third party's access system 12 is that public information service system 13 provides distinct interface standard, to connectMouth tabular form is stored, fashionable to terminate in third party's service, is accessed according to distinct interface standard, third party's clothesBusiness end may include businessman end, Ye Zhuduan, property end, pass through the public information service system connected after accessing third party's service end13 provide different business services.The public information service system 13 is the core processing of intelligence community platform as this entiretySystem is separately connected community platform management system 11 and third party's access system 12, receives community platform management system 11 and sendsData handled, and provide business service for the third party's service end of access.In the embodiment of the present invention, this entirety is intelligenceIntelligent community platform can integrate in intelligent building, wisdom property, Intelligent office, family's private clound, intelligent medical treatment, wisdom endowment etc.In different types of community, the service of different demands is provided according to different types of community data.
Wherein, the front-end processor system refers to the intermediate system equipment for carrying out information exchange on site, pretreatment, storageWith data of the forwarding from hardware device, controlled to complete entire instruction.
It is intelligence community platform the embodiment of the invention provides a kind of entirety, the function that may be implemented includes but is not limited to:Video monitoring, building talkback, smart home, intelligence endowment, information publication, online payment, community's illumination, community portal, gridChange management, managing caller, all-purpose card, gate inhibition, community's shopping, wisdom property, energy consumption, tourism, alarm, housekeeping, night watching, convenience-for-people etc.Deng to be entered and left and parking guidance, public to community security equipment, family endowment equipment, community gate inhibition, electronic patrol, vehicleMonitoring, control and the management of the communities such as broadcast, fire protection warning, lighting system and Intelligent spray irrigation common equipment.
Further, the refinement and extension as the public information service system, optionally, such as the public information takesBusiness system includes file subsystem, message subsystem, configuration subsystem, O&M subsystem, application subsystem, the file subsystemSystem, for the files such as the image data, audio data, the video data that are obtained in community by monitoring device to be stored and looked intoIt askes;The message subsystem, for the message got from community's Internet of Things to be allocated management;The configuration subsystemSystem, for carrying out information configuration to the whole Intranet equipment for accessing the community platform management system in community;O&MSystem, for carrying out purview certification to the user for logging in existing community platform, and according to the total data in the Intranet equipmentCarry out data analysis and data monitoring;The application subsystem, business application for being accessed to third party's access system,Terminal device is safeguarded;
Wherein, the public information service system is receiving the community platform management system and third party accessAfter the data processing request that system is delivered to, classify according to different business demands to the data processing request, will divideData processing request after class is delivered to corresponding file subsystem, message subsystem, configuration subsystem, O&M subsystem respectivelyIt is handled in system, application subsystem.
In the embodiment of the present invention, different business demands can obtain for parsing data processing request, for example, data processingRequest is the data query of the monitor video of some period, then corresponding business demand is video data inquiry, can be passed throughThe video data stored in file subsystem is inquired, and data processing request is the intelligence that configuration is connected by Internet of Things fidonetFidoThe information of household electrical appliances, then corresponding business demand is information configuration, can be configured by configuration subsystem, and so on, thisInventive embodiments are not specifically limited.
As shown in Fig. 2, in order to enable entirety is functional diversities, the generalization of intelligence community platform, convenient for outer net equipmentConnection, this entirety is intelligence community platform further include: outer net access subsystem 14, gateway 15, the outer net access subsystem14 are connected with the public information service system 13, for the accessing external network equipment under Internet connectivity state;The gateway15 are connected with the public information service system 13, for accessing smart home device by Internet of Things fidonetFido.
Wherein, the smart home device may include intelligent switch, intelligent electric appliance etc., and the embodiment of the present invention is not done specificallyIt limits.In addition, the Intranet equipment due to this community platform is attached by Internet of Things, in order to ensure connecing for outer net equipmentEnter, needs to carry out the connection of outer net equipment in the case where Internet connectivity.
In addition to it is above-mentioned using community platform management system in another preferred embodiment of external the application, the communityPlatform management system 11, specifically for receiving the data of Intranet equipment typing based on LAN server, and according to logging dataIntranet equipment the data are identified, and according to business demand to the Intranet equipment carry out operational administrative, Yi JigenIt is synchronous that data are carried out to the Community Database in the community platform management system according to the data after the mark, wherein work as instituteWhen stating community platform management system and being based on LAN server and Intranet equipment and carry out data transmission, to the data of transmission according toAES128S and timestamp mode carry out data encryption.
It should be noted that Intranet equipment can pass through local for the corresponding LAN server of community platform management systemAll terminal devices, such as intercom, video monitor, lighting apparatus, alarm etc. of connection are netted, in order to accurately determine to recordEnter the type of data, the data of different Intranet equipment typings can be identified, to distinguish management, such as is monitoredVideo input video data, is identified as video, so as to carry out the operational administratives such as query video, video storage, and in order toThe data storage in community platform management system is distinguished, the data after mark can be stored into Community Database, convenient for public affairsCo-information service system is directly extracted from Community Database when there is demand.
When terminal device transmits data into LAN server, in order to increase the confidentiality of data, terminal device is passedIt when transmission of data, needs to encrypt data, data encryption is carried out according to AES128S and timestamp mode to the data of transmission.
In addition, the intercom in the embodiment of the present invention directly can carry out digital intercom with APP, and it is different to monitor userChang Hangwei is reported, and specifically such as when the password typing of door access machine 3 times or more mistakes, entirety is the backstage of intelligence community platformSystem starts video, the image of recording exceptional password typing period, and upload server automatically;When door access machine breaks down or connectsWhen not connecing, background system automatic fault detection source, and administrator is sent in the form of short message;When door access machine user occurs oneIts frequent enabling situation, system can automatically record and prompt administrator.Door access machine is connect by being attached with application of orderingThat receives customization orders and services push, so that user directly orders food operation.
Further, the refinement and extension as the community platform management system, optionally, the community platform managementSystem includes intellectualizing system equipment, Community Database, community center's management server, wherein community center's management clothesBusiness device is connected with the intellectualizing system equipment, Community Database respectively, for receiving the intellectualizing system equipment inputData, and according to the type of service of the data carry out classification storage into the Community Database, wherein the inputData carry out not Tongfang according to the security level of Account Logon info class data, control instruction class data, system privacy class dataThe data encryption of formula;Community center's management server is connected with the public information service system, is used for the public affairsCo-information service system transmits data.Wherein, the intellectualizing system equipment includes indoor unit, doorway machine, door card identifying apparatusEtc. external third party device, indoor unit can also access various smart homes with seat home gateway, doorway machine support face,The testimony of a witness, fingerprint, refer to vein, ID multimodes enabling, the attendance such as IC card, password, calling etc., can support each producer's hardware device,Including but not limited to parking lot, intercommunication, gate inhibition etc., and can support to use offline.
As shown in figure 3, the integrated stand composition between community platform management system and equipment, existing community platform management systemThe operation of equipment is carried out using server and server mode between equipment, community center's management server cannot be operated directlyEquipment operates equipment after needing to be verified by LAN server, wherein IP is configured in LAN serverWhite list is responded just for specified server, equipment.The data of equipment, which need to add timestamp data by AES128, to be addedIt is transmitted in LAN server after close, LAN server, which equally passes through after AES128 adds timestamp data encryption, is transmitted to societyIn district center management server, when carrying out data transmission between community center's management server and client,
LAN server when carrying out data transmission with community center management server, to the data of transmission according toAES128S and timestamp mode carry out data encryption, specifically, server a, in Transfer Parameters, acquisition system is current firstTimestamp, and encrypted transmission is carried out in a manner of AESA128 in conjunction with a secrecy key, this key be only server know andNot in transmission over networks, and timestamp is stored in the caching of server a, sends data to server b, server b is obtainedTimestamp is taken, is differed with current time if more than 1 minute, then returns to request failure, is less than if timestamp is differed with current timeEqual to 1 minute, then operation then was decrypted using timestamp and key by verifying in timestamp, and decryption is unsuccessful, returns to mistakeAccidentally, and corresponding IP is recorded, further, occurs operating unsuccessful situation 20 times when continuous, then configure this IP limitation access10 hours.The data that such mode is submitted, the signature parameter of URL connection are by the encryption of certain rule, and server receivesSame rule is also passed through after data and carries out safe encryption, after confirm that data are not distorted halfway, then carries out data modificationProcessing, therefore, by different access ways, such as the different access way of Web/APP/Winfrom specifies different encryptionsCode key, code key are both sides' agreements, are not transmitted over network connections, and the App ID that transmission is access is connected, and server is logicalThis App ID is crossed to carry out the encryption of signature parameter comparison.
In addition, intellectualizing system equipment is directed to, when such equipment and existing community center management server number of packages are according to transmissionWhen, partition of the level is carried out, rank is higher, and cipher mode is more complicated.Rank includes the Account Logon info class data of user, controlInstruction class data, system privacy class data.The Account Logon info class data of user are I grades, and rank highest passes through MD5 algorithmHandled, and be digitally signed with AES encryption technology, with guarantee safety of the data in transmission process, integrality andNon-repudiation instructs for example, user sends management server by APP, in the scene that server executes instruction equipment,Armamentarium not can be carried out extranet access, and the data that can only be carried out in local area network by LAN server are transmitted, and countedUser data is encrypted by MD5 according to when transmission, is then encrypted the username and password of user using specific key valueIt is stored in local data base, and a string of ciphertexts are generated as user's by md5 encryption user name and corresponding random codeToken, the validity period for being user setting token are 2 days, and expired two days later if user does not use, user is if there is continuous10 token authentication faileds, it will be drawn into blacklist, cannot be accessed in 10 hours.Management instruction class data belong to II gradesData are legitimate user in order to ensure initiating control instruction, using MD5 including a series of control operation made to systemAlgorithm and digital signature guarantee the safe transmission of control instruction.For example, control instruction is first added using MD5 before control instruction is sentClose, using the carry out AES encryption processing appointed, the control instruction that user is transmitted first passes through local server token and testsCard and IP verifying, by sending intellectualizing system equipment for the control instruction of encryption after verifying, intellectualizing system equipment can be withControl instruction is decrypted, conventional control instruction is judged whether it is after decryption and then refers to control if not conventional control instructsThe information of order is transmitted in community center's management server, and abnormal number occurs in statistics, if repeatedly occurring, limits transmission controlThe access authority of the IP of instruction is made, if conventional control instructs, is then executed instruction after successfully resolved, and is controlled by log recordingInstruction.System privacy class data are III level, are encrypted using MD5 algorithm and AES encryption algorithm.In addition, for someThe transmission of general data, the aes algorithm for selecting fast speed, encryption efficiency high are handled.
In the embodiment of the present invention, the public information service system is specifically used for when third party's access system, describedWhen public information service system carries out data transmission with community center management server respectively, judge whether to onlineTransmission is connected to community center's management server, if without on-line normalization, from the society if carrying out on-line normalizationData are extracted in area's database.
It should be noted that as shown in figure 3, can connect intelligent lamp, intelligent curtain, intelligence by Internet of Things fidonetFido indoor unitThe intelligent appliances such as energy air-conditioning manage management server to community center by UDP message packet and transmit data, and doorway machine passes through UDPData packet transmits data to community center's management management server, and community center's management server is determined by badge equipment equipmentWhether there is permission, whether it is that online determining data are that community center's management server is synchronous according to public information service device dataIt is no to deposit into Community Database, if community center's management server carries out being offline, community center's management clothes when data processingBe engaged in device, be connected to Community Database, if the data synchronization being sent to from public information service device be it is offline, be forbidden to use in communityThe heart manages management system.
In addition to it is above-mentioned using public information service system in another preferred embodiment of external the application, it is described publicInformation service system is also used to provide management interface to government end, so that the government terminates into the public information serviceSystem carries out data query.In order to which government organs are at any time managed the various information in community, acquire, inquire, this is completePublic information service system in the platform of system intelligence community provides a standard interface to government end, for government end at any time intoRow access-in management, as shown in figure 4, can be configured in advance for the permission at government end, in the embodiment of the present invention so that government existsAfter access can various management and monitoring, and do not influence the life privacy of owner.
Further, in order to meet different third-party access demands, third party's access system described in the present embodiment hasBody is also used to when detecting access request, judges the identity information of the sender of the access request;If the access requestSender be owner, then verify the owner whether be with the access authority by third party's access system, if lead toVerifying is crossed, then the public information service system is connected to by third party's access system, provides hardware for the ownerAccess service;If the sender of the access request is businessman, mentioned to public information service service provider person's informationThe marketing and Push Service of confession;If the sender of the access request is property, by third party's access system to institutePublic information service system request highest access authority is stated, and by the highest access authority to the public information service systemSystem carries out service management.
It should be noted that identity information may include owner's identity, merchant identity, property identity, the embodiment of the present inventionIn, in order to ensure owner is the user of service of this community, owner's identity is verified in access, can be stepped on by ownerThe account and information of record are verified, in general, property can give this community when owner carries out accessing this community platform for the first timeIn owner configure the account that uniquely uses,, can for example, after by indoor terminal or mobile terminal access to be accessedTo control community intelligent security protection hardware by access public information service system, as parking lot, access control equipment, managing caller,Elevator entrance guard, and control smart home hardware, wearable device etc., and enjoy convenient community's life's service.Businessman firstAfter secondary this community platform of access, it can assert that the identity information of access is businessman, and the marketing that can provide of determination and push clothesBusiness, for example, linking in community platform by third party's access system is shared using accurate data marketing and Push ServicePlatform, the power-assisted businessman of high efficiency, low cost.In the embodiment of the present invention, property is that permission is most in this community platform third party access sideHigh access side, therefore, this community platform of property based on mobile interchange, seamless link estate management and community owner, thusThe efficiency of management is improved, reduces cost, additional income is improved service quality and owner experiences.
In addition, the user of different identity is by configuring different permissions in order to ensure the Information Security of Community DatabaseIt is that intelligence community platform carries out data transmission with current entirety, the function that third party's access system specifically may be implemented includes: useFamily authentication, user right control, sensitive data protection, the monitoring of loophole attack-defending, active state, behavior real-time monitoring,Unified audit and report, privilege analysis control, sensitive data analysis, configuration safety management etc..
User identity authentication is divided into external identity certification and global authentication, is used to Community Database authentication,Database authentication refers to be saved in a manner of encrypting in the database user password, must when user connects databaseMust input username and password, by just can be with login community database after certification, there are three types of modes for authentication, respectively logicalIt crosses Verification System to go to check the identity of database user or application user, is authenticated by the account of application, pass through itselfAccount authenticated.
User right control is to plan and take precautions against, and permission is divided into system permission and object authority, and system permission is to beThe permission that system regulation user uses, object authority are certain permission user to the table of other users or the storage permission of view, andManagement to permission includes administrator and user right separation, and the permission of user is authorized or cancelled to restricting user access dataOr role.The protection of sensitive data includes communication encryption and database transparent encryption two ways, and communication encryption connects networkCapable encryption is tapped into, the data encryption to network transmission prevents from stealing data etc. from network, and supports a variety of confidentiality algorithms.
Loophole attack-defending finds various management and system risk comprehensively, and assists repairing risk and loophole, passes through weak mouthSeveral aspects such as inspection, software vulnerability scanning, operating system risk, managing risk are enabled to play to database loophole attack protection,Loopholes of OS attack protection, managing communication protection, Denial of Service attack protection.
Active state monitoring is to carry out early warning in abnormal state for real-time monitoring data library operating status, prevent industryBusiness paralysis, ensures that the availability of operation system, the range of monitoring include: User Activity situation, databases state, file systemSystem state, inquiry response performance etc., User Activity situation includes: Connection Time, user's number, link information etc., in databaseThe state of depositing includes: shared drive, hit rate, roll-back segment, table memory, and buffering goes equal monitoring, and file system state includes: dataFile performance, disk access, inquiry response performance include: the information such as index efficiency, query statistic, inquiry buffering hit rate.
Behavior real-time monitoring is the monitoring of database real-time session, can be blocked by database firewall with monitoring traffic in networkThe access of unauthorized, high accurately SQL syntax parse, and monitoring and prevention SQL injection are attacked, and limit database by black and white listsThe monitoring such as access.
Audit is to trace to provide sentence, session, IP, database user, service-user, response time, shadow for security incidentRing the record and ex-post analysis ability of the database manipulations of various dimensions such as property.Report is for session behavior, SQL behavior, risk rowCompliance report is provided for, policy report etc..By audit and report can satisfy compliance requirement, pass through IT examineMeter, tracking are traced to the source, and convenient for tracing reason afterwards and defining responsibility, are realized Independent Audit, are improved IT internal control mechanism, provide satisfaction and wantThe analytical statement asked.
Privilege analysis control is the report in order to generate account and authority information, and eliminating unreasonable authorization access ensures to awardThe effects of power meets business minimum principle, reduces business datum risk.
Sensitive data analysis, such as counted from personal information, database against regulation, social security information, credit card bindingIt is categorized into the report of account and authority information according to the distribution of discovery database and sensitive data in source, assists to cancel unnecessary permissionSetting, least privilege setting reduce security risk.
It configures safety management and is matched by finding, scanning monitoring, repairing and reinforcement etc. discovery database, automatic collect automaticallyConfidence ceases the unreasonable configuration of automatically scanning, detects the change of unauthorized, assists to modify existing administrative vulnerability.
Further, in order to find the unusual condition occurred in community in time, as shown in Fig. 2, the community platform also wrapsInclude alarm module 16, the alarm module 16 respectively with the community platform management system 11, third party's access system 12,The public information service system 13 is connected, for when the community platform management system 11 when progress that receives abnormal dataAlarm;And/or it is reported when third party's access system 12 verifies to send when the sender of access request is abnormal userIt is alert;And/or it alarms when the public information service system 13 processing is to abnormal data.
Wherein, in order to enable alarm module can receive community platform management system, third party's access system, public letterCease service system send alarm signal, need it is coupled, and according to its send alarm signal alarm, alarm signalIt number can alarm, can specifically be distinguished according to different alarm signals, for example, community is flat for audible alarm, information alertThe door card identifying apparatus that platform management system receives recognizes abnormal badge, then community platform management system is sent out to alarm moduleAlarm signal is sent to carry out jingle bell alarm, third party's access system verifies access side as abnormal third party, then forbids third party to connectEnter, and short message prompt is alarmed, public information service system carries out short message in the abnormal marketing message that processing to businessman end is sentAlarm lamp is prompted, the embodiment of the present invention is not specifically limited.
It should be noted that abnormal data in addition to the abnormal conditions that above situation generates, can also include each serverThe abnormal data of middle generation, such as the Web guard system rear data generated under attack.Web guard system is to http data flowIt is analyzed, a set of specific features rule base for WEB application protection is had cured, to existing main WEB application attackerSection realizes effective preventing mechanism, can successfully manage the attack of hacker's tradition, such as buffer overflow, CGI scanning, traversal meshRecord, OS order injection etc. and the attack means such as SQL injection and cross site scripting.Web guard system has had http contentFull access right and control detects all http contents, explains and establishes rule, once some session is by application firewallTerminate and control, WAF will carry out a variety of inspections to flow outwardly or inwardly, with prevent embedded attack, data theft andIdentity theft, the part detected can specify various strategies and check URL, parameter and format etc..Web guard systemIt can defend to include DDoS, SYN Flood, UDP Flood, ICMP Flood, ping of Death, Smurf, HTTP-getThe attack of Flood etc..For attack fingerprint recognition, Web guard system carries out network packet by multiple technologies meansCurrent attack type can be accurately positioned in characteristic statistics and research and development, and triggers different defense mechanisms, same what is improved efficiencyWhen ensure accuracy.Identified for abnormal flow, Web guard system by the ddos attack blind examination technology based on data mining,Using the adaptive generation detection model of association algorithm and clustering algorithm, so that any traffic characteristic for deviateing these normal conditionsCan be captured, so as in real time, automatically, efficiently identify out abnormal flow.It is excavated for attack signature, WebGuard system excavates attack signature by the microscopic analysis to network flow using itself efficient feature mining ability,The attack signature excavated is given regular execution machine and is executed.It is filtered for attack traffic, attack of the Web guard system to detectingFlow is completely thoroughly filtered attack traffic, is let off normal discharge, protect the progress of normal service using regular execution machine.
In addition, this entirety is the Web application acceleration technique used in the platform of intelligence community, website is comprehensively being pacifiedWhile full protection, by mechanism such as connection pool, cachings, realizes that application accelerates, optimize the performance of website, and by high performanceThe Web request response speed of user is improved several times, to improve the availability of website by hardware and software accelerating algorithm.
Further, in order to ensure this entirety is safety of the intelligence community platform when carrying out internet data connection,As shown in Fig. 2, the community platform further includes internet data management module 17, it is connected with the public information service system 13It connects, for the data in the public information service system 13 to be uploaded to cloud, end data management of racking of going forward side by side.
It should be noted that, so that mass data is detained, being due to acquiring data in this community platform over a long timeIt analyzes and stores convenient for data, data management can be carried out by the cloud platform of big data, for example, passing through internet dataManagement module establishes Internet data center IDC, big by what is handled in real time in public information service system in Internet connectivityAmount data, which are uploaded in IDC, to be managed.
This entirety is the Internet of Things fidonetFido that intelligence community platform not only supports standard, realizes that each internet of things equipment interconnection is mutualIt is logical, the access of each producer's system can also be realized according to the standard interface of explorative third party's access system, carry out unified pipeReason.As shown in figure 4, the entirety in the embodiment of the present invention is intelligence community platform specifically with operational system, operation system, equipment pipeThe subsystems forms such as reason system, application system (property management, resident, businessman) exist, and are third party's intelligent equipment system, objectThe user that is accessed provides explorative interface in many ways by pipe, resident, businessman etc., supports each producer's platform, system, firmlyThe seamless access of part, and by the unified management of community platform management system, allotment, data realize dual backup, securely and reliably, andIt can provide various business and Service Operation, create more convenient and fast high-quality life.In addition, using TCP/IP digital intecommunication system,Realize that bulletin issues, owner reports equal estate managements function for repairment, using the mobile terminal of access, realize consumer shopping online,Online transaction and online e-payment and various commercial activitys, transaction, finance activities between trade company and relevant comprehensiveService activity is closed, community resident is without going out and can unhinderedly complete the buying of most daily necessities, to realizeInformationization, digitlization, Internet of Things, automation, intelligent science and technology, realize wisdom family security alarm, visitor's video intercom, electric applianceAutomatic monitoring, integrated information browsing, family's multi-screen interactive are shown and operation.
In addition, this entirety is intelligence community platform using distributed deployment, a service many places deployment is realized, it is complete according to thisThe loading condition of system intelligence community platform connection selects corresponding server, improves operational efficiency.This entirety is wisdom societyThe application resource of the more real server in rear end is invented one and high performance is answered by area's platform by setting virtual server IPThe request of user is transmitted to by community center's management server, community center's management clothes by load-balancing algorithm with serverThe response of request is returned to load balancer by business device, and load balancer transmits the response to user again, thus to internetUser conceals internal web structure, and user is prevented directly to access community center's management server, so that server is safer, it canTo prevent to core network stack and the attack for operating in other miniport services.And load-balancing device, such as software or hardware, meetingLasting checks the application state in community center's management server, and automatically to invalid application server carry out everyFrom realizing that one simple, scalability is strong, high reliablity application solution, solve single server process performance notFoot, scalability is inadequate, the lower problem of reliability.
Entirety is that the extension of intelligence community platform can be divided into longitudinal, vertical extension and transverse direction, horizontal extension.Longitudinal Extension,It is to realize clothes by increasing hardware processing capability, such as CPU processing capacity, memory size, disk etc. from the angle of single machineThe promotion for device processing capacity of being engaged in.In addition, for large-scale distributed system or website, big flow, high concurrent, magnanimity number is not able to satisfyAccording to the problem of, it is therefore desirable to by the way of extending transversely, the processing capacity of large-scale website service is met by addition machine,For example, a machine is not able to satisfy, then increase by two or more machines, shared accesses pressure.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with generalComputing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formedNetwork on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are storedIt is performed by computing device in the storage device, and in some cases, it can be to be different from shown in sequence execution hereinOut or description the step of, perhaps they are fabricated to each integrated circuit modules or by them multiple modules orStep is fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific hardware and softwares to combine.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this fieldFor art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repairChange, equivalent replacement, improvement etc., should all include within protection scope of the present invention.