CN102378982B - Monitoring system and communication management device - Google Patents

Abstract

A communication management device (11) is connected to a plurality of terminals. The plurality of terminals are a monitoring device (15) and a user device (17). When performing communication between terminals, the connection source terminal transmits a SIP invite message to the communication management device (11). In addition to the SIP server (37), the communication management device (11) further includes: a permission information storage unit (101) storing connection permission information in which combinations of terminals to which connections should be permitted are stored; A processing unit (103) permits a connection between terminals by referring to the connection permission information. When the SIP server (37) obtains the invitation message from the connection source terminal, if the permission processing unit (103) permits the connection between the connection source and the connection destination terminal, the SIP server (37) transmits the invitation message from the connection source terminal Provided to the connection ground terminal. Thereby, the monitoring system which can improve the security at the time of applying SIP to a monitoring system is provided.

Description

Surveillance system and communication management device

technical field

The present invention relates to a monitoring system in which a monitoring target terminal and a user side terminal are connected to each other and can communicate, the monitoring target terminal obtains monitoring information, and the user side terminal obtains and uses the monitoring information.

Background technique

Conventionally, a surveillance system has been put into practical use by installing surveillance cameras on surveillance objects such as stores and factories to remotely monitor images. The surveillance video is sent to a remote surveillance center and then to the office of the owner (master) of the surveillance object. The transmission of surveillance images uses general public lines such as ISDN (for example, Patent Document 1).

In recent years, due to the popularization of broadband lines such as ADSL and FTTH, there has been an increasing demand for realizing transmission and reception of surveillance images in surveillance systems and the like on the Internet. By utilizing the Internet, it helps to save costs and improve system flexibility.

A protocol called SIP (Session Initiation Protocol: Session Initiation Protocol) is known as a technology for transmitting audio and video on the Internet. SIP is suitable for IP telephony, video conferencing, etc. In order to connect two sites by SIP, the addresses of the respective sites are registered in the SIP server. In this way, SIP communication can be performed between sites with registered addresses.

However, if SIP is applied to the monitoring system, security issues should be considered. In other words, high security is required in a monitoring system that monitors images and the like of a monitoring target from the outside. In contrast, in SIP, an arbitrary location can be connected through a registered address. Therefore, it is not desirable to directly apply SIP to a surveillance system from a security point of view.

For example, it is assumed that the monitoring target is a store, and terminals of a plurality of stores are connected to the monitoring center. The monitoring center is also connected to the terminal of the owner of each store. In this case, the terminals that can be connected to the terminals of each store should be limited to the corresponding store owner's terminal.

However, in the conventional SIP, arbitrary terminals whose addresses are registered with the SIP server can be connected. As a basic authentication function, the SIP server can perform password and ID authentication. But this is limited to the authentication between the terminal and the SIP server. If the connection between the terminal and the SIP server is permitted, the combination of terminals via the SIP server cannot be restricted. Therefore, the connection between the terminal of the store and the terminal of the owner cannot be restricted. Therefore, the store owner may obtain monitoring information of stores other than his own.

Patent Document 1: Japanese Patent Laid-Open No. 2001-54102

Contents of the invention

The present invention was made under the above background. An object of the present invention is to provide a monitoring system capable of improving security when SIP is applied to the monitoring system.

One aspect of the present invention is a monitoring system including: a plurality of terminals for communicating monitoring information; a communication management device for managing the communication of the plurality of terminals, wherein the plurality of terminals are respectively installed on the side of the monitoring object, or used On the user side of the monitoring information received from the monitoring target, when one of the terminals requests a connection from another terminal, the connection source terminal sends a SIP invite message including the identification information of the terminal to be connected. Sent to the communication management device, the communication management device has: a SIP server; a permission information storage unit, which stores connection permission information, and the connection permission information represents a combination of terminals that should be allowed to connect; a permission processing unit, with reference to the connection permission information, judges whether to allow the terminal When the SIP server obtains an invitation message from the connection source terminal, it provides the identification information of the connection destination terminal included in the invitation message to the permission processing unit. When the permission processing unit approves the connection between the terminals, the SIP server sends the An INVITE message for the connection source terminal is provided to the connection destination terminal.

Another aspect of the present invention is a communication management device that manages communications of a plurality of terminals that communicate monitoring information. The communication management device includes: a SIP server; a permission information storage unit that stores connection permission information. The permission information indicates a combination of terminals whose connection should be permitted; and the permission processing unit refers to the connection permission information to judge whether to permit the connection between the terminals, and the SIP server obtains the SIP information including the identification information for other terminals from one of the plurality of terminals. When receiving an INVITE message, the permission processing unit judges whether to allow the connection between the terminals based on the identification information of the connected terminal contained in the INVITE message. When the permission processing unit approves the connection, the SIP server provides the INVITE message from the connection source terminal to the connection terminal. ground terminal.

As described below, there are other aspects of the present invention. Therefore, the disclosure of the present invention intends to provide some aspects of the present invention, and does not limit the scope of the invention described and claimed here.

Description of drawings

FIG. 1 is a diagram showing the overall configuration of the monitoring system of the present invention.

FIG. 2 is a more specific block diagram showing the configuration of the monitoring system.

Fig. 3 is a block diagram showing main components in the monitoring system of the present invention.

4 is a diagram showing an example of a table of connection permission information stored in a permission information storage unit.

FIG. 5 is a diagram showing operations when communication between terminals is performed in the monitoring system.

FIG. 6 is a diagram showing the operation of the monitoring device as a connection source to perform communication between terminals.

FIG. 7 is a diagram showing an operation in which a user device serves as a connection source to perform communication between terminals.

Label description

1 Surveillance system

3 Surveillance Center

5 Surveillance objects

7 User location

11 Communication management device

13 center unit

15 Surveillance device

17 User Devices

21 Center-to-terminal VPN

23 SIP communication

25 Inter-terminal VPN

33 HTTP server

35 VPN servers

37 SIP server

41 Account Management Server

43 database

61 controller

63 IP line units

65, 83 Router

69 multi-line adapter

73 Surveillance cameras

81 VPN Termination Equipment (VTE)

85 User PCs

101 Licensing Information Storage Department

103 License Processing Department

Detailed ways

The present invention will be described in detail below. However, the following detailed description and drawings are not intended to limit the present invention.

The present invention is a monitoring system comprising: a plurality of terminals for communicating monitoring information; a communication management device for managing the communication of the plurality of terminals, the plurality of terminals are respectively installed on the monitoring object side or utilize monitoring information received from the monitoring object On the user side of the system, when one of the plurality of terminals requests a connection from another terminal, the connection source terminal sends a SIP invitation message including the identification information of the terminal to be connected to the communication management device, and the communication The management device has: a SIP server; a permission information storage unit that stores connection permission information indicating a combination of terminals that should be allowed to connect; and a permission processing unit that refers to the connection permission information to determine whether to allow a connection between the terminals. When the server obtains the invitation message from the connection source terminal, it provides the identification information of the connection destination terminal contained in the invitation message to the permission processing unit. When the permission processing unit permits the connection between the terminals, the SIP server sends the invitation message from the connection source terminal Provided to the connection ground terminal.

As described above, according to the present invention, a plurality of terminals of a monitoring system are connected to a communication management device having a SIP server. In addition to the SIP server, the communication management device further includes: a permission information storage unit storing connection permission information indicating a combination of terminals whose connection should be permitted; and a permission processing unit referring to the connection permission information to determine whether to permit the connection between the terminals . In SIP signaling, an INVITE message is sent from a connection source terminal to a SIP server. At this time, in the present invention, the permission processing unit judges whether or not to permit the connection. When the permission processing unit permits the connection, the SIP server transmits an INVITE message from the connection source terminal to the connection destination terminal, and the SIP signaling succeeds.

Therefore, in the present invention, information on combinations of terminals whose connections should be permitted is stored in advance, and connection between terminals is permitted at the time of SIP signaling. In this way, instead of simple authentication between the terminal and the SIP server, P2P permission can be performed between terminals intervening in the SIP server, and users of monitoring information can be appropriately restricted. By doing so, it is possible to improve the security when the monitoring system SIP is applied.

When the connected terminal receives the invitation message from the communication management device, it can send a SIP OK message to the communication management device, and can add connection establishment information to the invitation message and the OK message, which is used to connect the source and the connection after the SIP session is established. An inter-terminal connection is established between connected terminals without intervention of the communication management device.

In this way, after the establishment of the SIP session, the monitoring information can be communicated between the terminals without using the communication management device. In the present invention, two phases of communication are performed. The communication in the first phase is SIP, and it is carried out by means of a communication management device. The communication in the second stage is a connection between terminals without using a communication management device. Signaling is performed during a SIP connection, and INVITE messages and OK messages are exchanged in the signaling. The present invention uses SIP signaling messages to exchange connection establishment information for establishing a connection between terminals. In this way, it is possible to make good use of SIP for connection between terminals. In addition, the communication traffic between the communication management device and the terminal can be reduced, and the load on the communication management device can be reduced.

The inter-terminal connection that does not involve the communication management device may be an inter-terminal VPN in which a VPN is constructed and connected between terminals. In this way, security can be improved by applying a VPN (Virtual Private Network) to communication between terminals (communication in the second stage after the above-mentioned SIP connection). The two-way message exchange in the signaling communication of SIP is applicable to the information exchange necessary for establishing a VPN connection.

The INVITE message may contain the IP address and electronic certificate of the connection source terminal as connection establishment information, and the OK message may contain the IP address and electronic certificate of the connection destination terminal as connection establishment information. In this way, the information used for VPN connection can be exchanged appropriately using SIP, and secure communication can be performed between terminals.

The communication management device may be installed in a monitoring center which monitors a monitoring target by communicating with a plurality of terminals. In this way, the communication between the monitoring center and the terminal and the communication between the terminals can be satisfactorily performed by the communication management device.

The connection between the communication management device and the multiple terminals can be through the central terminal-to-terminal VPN connection between the communication management device and the multiple terminals, and the SIP server can communicate the multiple terminals with SIP messages through the central terminal-to-center VPN. In this way, SIP communication is performed on the VPN between the center terminals. The foregoing has discussed the VPN connection between terminals after the SIP session is established. The center-terminal VPN here is a VPN between the center and each terminal. By using the VPN between the center terminals, the security of communication between the monitoring center and each terminal can be secured, and the security of SIP communication can also be secured.

The monitoring information may include at least one of images captured by the monitoring target, monitoring signals detected by the monitoring target, and control information generated by the user. In this way, monitoring information can be communicated between terminals.

Another aspect of the present invention is a communication management device that manages communications of a plurality of terminals that communicate monitoring information, wherein the communication management device includes: a SIP server; a permission information storage unit that stores connection permission information, the connection permission information Indicates the combination of terminals whose connection should be permitted; and the permission processing unit refers to the connection permission information to determine whether to permit the connection between the terminals, and the SIP server obtains the SIP information including the identification information for other terminals from one of the plurality of terminals. In the case of an invitation message, the permission processing unit judges whether to allow the connection between the terminals based on the identification information of the connection destination terminal contained in the invitation message, and when the permission processing unit approves the connection, the SIP server provides the invitation message from the connection source terminal to the connection destination. terminal. Also in this form, the various configurations described above can be applied.

The present invention is not limited to the aspects of the above-mentioned monitoring system and communication management device. Another aspect of the present invention is, for example, a terminal device. Also, the present invention can be realized in the form of a method, a program, or a computer-readable recording medium in which the program is recorded.

As described above, the present invention can improve security when SIP is applied to a surveillance system.

A monitoring system according to an embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 shows the overall configuration of the monitoring system of the present invention. As shown in the figure, in the monitoring system 1 , communication is performed among the monitoring center 3 , the monitoring object 5 and the user site 7 . Here, the user refers to the user of the monitoring service of the monitoring object 5 in the monitoring system 1 . In the example of this embodiment, the monitoring object 5 is a shop, and the user location 7 is the office of the shop owner.

The monitoring center 3 has a communication management device 11 and a plurality of center devices 13, and these are connected so as to be communicable. The communication management device 11 and the plurality of central devices 13 can be arranged in geographically distant places. A plurality of center devices 13 can be respectively arranged in a plurality of responsible areas. Also, a plurality of central devices 13 can share functions. For example, a certain center device 13 may function as a control center device that processes signals related to security, and another center device 13 may function as an image center device that mainly processes surveillance images. In addition, within the scope of the present invention, there may be only one central device 13 .

A monitoring device 15 and a user device 17 are installed in the monitoring object 5 and the user site 7, respectively. The monitoring device 15 and the user device 17 correspond to the terminal of the present invention. The monitoring device 15 transmits monitoring information to the center device 13 and the user device 17 . The surveillance information is, for example, an image of a surveillance camera, and is a surveillance signal detected by the surveillance target 5 . The monitoring signal is, for example, a warning signal indicating occurrence of an abnormality, and is generated based on a detection signal from a sensor provided on the monitored object 5 or when an alarm button (switch) is operated. Furthermore, the user device 17 transmits a control signal or an audio signal to the monitoring device 15 . Such a signal from the user device 17 to the monitoring device 15 is also included in the monitoring information.

FIG. 1 shows a surveillance object 5 and a user location 7 . However, in reality, the monitoring center 3 communicates with a plurality of monitoring objects 5 and a plurality of user sites 7 . Therefore, the communication management device 11 also communicates with a plurality of monitoring devices 15 and a plurality of user devices 17 . Each monitoring device 15 communicates with an associated user device 17 (terminal of a store owner).

According to the monitoring system 1 of FIG. 1, for example, the monitoring device 15 detects an abnormality by a sensor signal or the like. At this time, a warning signal as monitoring information is transmitted to the monitoring center 3 together with the video of the monitoring object 5 . In the monitoring center 3, the operator confirms the warning signal and video through the monitor of the center device 13, and issues necessary instructions to the guards. The security personnel who received the instructions quickly arrived at the surveillance object 5 to deal with the abnormality.

In addition, for example, the monitoring device 15 sends the video of the monitoring object 5 to the user device 17 periodically or according to other settings. For example, when a sensor detects a visitor, an image or the like is sent to the user device 17 . In addition, there may be a case where the user device 17 requests transmission of a video or the like. The owner can grasp the situation of the store based on images and the like. In addition, the owner can send a voice or the like from the user device 17 to the monitoring device 15 to instruct the clerk about necessary matters.

Next, the communication method of the monitoring system 1 will be described. The communication management device 11, the monitoring device 15, and the user device 17 are connected to the Internet.

Furthermore, the communication management device 11 is connected to the monitoring device 15 and the user device 17 through a VPN (Virtual Private Network) 21 between center terminals on the Internet. In order to construct the center-to-terminal VPN 21, the communication management device 11 has a VPN server function, and the monitoring device 15 and the user device 17 have a VPN client function. In VPN, a VPN tunnel is constructed and encrypted communication is performed to achieve high security.

Furthermore, the monitoring device 15 and the user device 17 perform SIP communication 23 via the communication management device 11 . The SIP communication 23 is performed via the above-mentioned inter-center VPN 21 . The communication management device 11 has a SIP server function.

Furthermore, the monitoring device 15 and the user device 17 are directly connected through the inter-terminal VPN 25 without passing through the communication management device 11 . In order to construct this inter-terminal VPN 25, the user device 17 has a VPN server function, and the monitoring device 15 has a VPN client function.

Among them, the center terminal VPN 21 is always connected to construct a VPN tunnel for communication between the center device 13 , the monitoring device 15 and the user device 17 . On the other hand, the inter-terminal VPN 25 is constructed only when necessary.

Explain the reasons for using the inter-terminal VPN25. Communication of large-capacity data such as images is performed in the monitoring system 1 . If the VPN 21 between center terminals is used for all communications, the load on the communication management device 11 will become excessive. Therefore, the communication between the monitoring device 15 and the user device 17 is performed by the inter-terminal VPN 25, thereby reducing the load on the communication management device 11 while ensuring security.

In addition, the role of the SIP communication 23 in this embodiment is a special role different from that of an ordinary IP telephone or the like. That is, in this embodiment, SIP signaling is positioned as a process of preparation before VPN connection. Specifically, when a SIP23 session is established, information notification is performed. Two-way communication is carried out in this information notification, and INVITE messages and OK messages are exchanged. On the other hand, in order to establish a VPN connection, information needs to be exchanged. In this embodiment, IP addresses and electronic certificates are exchanged. Electronic certificates are used to verify the legitimacy of electronic signatures, etc., and certificates issued by reliable third-party organizations are used. Therefore, the signaling of the SIP communication 23 is used as an information exchange unit for establishing a VPN connection.

The overall configuration of the monitoring system 1 has been described above. As described above, in this embodiment, two types of VPNs are used. One connects the communication management device 11 and a terminal (monitoring device 15 or user device 17), and the other connects terminals (monitoring device 15 and user device 17). Therefore, in FIG. 1 , in order to distinguish these two VPNs, two terms, the center inter-terminal VPN 21 and the inter-terminal VPN 25 , are used. However, the terms VPN21 and VPN25 can also be simplified and used.

Next, the configuration of the monitoring system 1 will be specifically described with reference to FIG. 2 . The communication management device 11 has a firewall 31 , an HTTP server 33 , a VPN server 35 , a SIP server 37 , a STUN server 39 , an account management server 41 , a database 43 and a log server 45 .

The firewall 31 blocks data other than the communication data used between the communication management device 11 and the monitoring device 15 and the user device 17 . HTTP server 33 is used for Internet connection. The VPN server 35 is a server that performs authentication and encryption for constructing a VPN tunnel.

The VPN server 35 is used to realize the VPN 21 between the center terminals, to establish a VPN between the communication management device 11 and the monitoring device 15 , and to establish a VPN between the communication management device 11 and the user device 17 . The signal from the monitoring device 15 is decrypted by the VPN server 35 and sent to the center device 13 . And, the signal from the center device 13 is encrypted by the VPN server 35 and sent to the monitoring device 15 . Furthermore, when the communication management device 11 transmits a signal to the monitoring device 15, encryption is also performed by the VPN server 35 . In the communication between the communication management device 11 and the user device 17, the VPN server 35 similarly performs encryption and decryption.

The SIP server 37 performs signaling processing according to the SIP protocol, and connects the monitoring device 15 and the user device 17 . When the user device 17 requests to connect to the monitoring device 15, or when the monitoring device 15 requests to connect to the user device 17, the SIP server 37 plays a role of SIP connection control.

In SIP signaling, messages are exchanged. Specifically, INVITE (invitation) messages and OK messages are exchanged. By this message exchange, IP addresses and electronic certificates are exchanged to establish a VPN connection as described above.

The STUN server 39 provides a STUN function corresponding to the NAT function of the router of the monitoring device 15 and the user device 17 .

The account management server 41 is a server that manages various information such as authentication. Managed information is stored in the database 43 . The managed information includes IP line accounts, electronic certificates for VPN connection (tunnel construction), and key pair information. And in this embodiment, in the signaling process of SIP, the connection between terminals is authenticated and permitted. Information for this processing is also held by the database 43 for the account management server 41 . In addition, authentication and permission of connection between terminals may be performed by the SIP server itself. In this case, the permission processing unit and the permission information storage unit of the present invention are provided on the SIP server.

The log server 45 is a server that stores logs generated by the monitoring device 15 .

The center device 13 has a monitoring station 51 and a line connection device 53 . The monitoring station 51 is connected to the communication management device 11 via a line connection device 53 . For example, when the center device 13 is an image center, surveillance images are provided to the surveillance station 51 and managed by the surveillance station 51 . And, when the center device 13 is a control center, information related to guarding is provided to the monitoring station 51 . Surveillance images are also well displayed on the monitors of the control center. Surveillance images, etc. can also be communicated between center devices.

Next, the monitoring device 15 will be described. The monitoring device 15 includes a controller 61 , an IP line unit 63 , a router 65 , peripheral devices 67 , a multiline adapter 69 , and a PC (personal computer) 71 to be monitored.

The controller 61 is constituted by a computer, and realizes a monitoring function in cooperation with the peripheral device 67 . The controller 61 is connected to the monitoring center 3 via an IP line unit 63 . Furthermore, the controller 61 is also connected to the user device 17 via the IP line unit 63 .

In FIG. 2 , a surveillance camera 73 , a sensor 75 , and an alarm button 77 are exemplified as peripheral devices 67 . The controller 61 performs image recognition processing on the surveillance video to detect abnormalities. And, the controller 61 detects an abnormality by a detection signal input from the sensor 75 . Abnormalities are also detected when the alarm button 77 is pressed. Other peripherals can also be used to detect anomalies. When an abnormality occurs, the controller 61 communicates with the central device 13 to send a warning signal and an image signal. Along with the monitoring camera 73, it also has a microphone, which also transmits audio signals. In this way, the controller 61 realizes the guard function of the monitored object 5 .

In addition, when the center device 13 requests, surveillance video and audio are also sent. Furthermore, surveillance video and audio are also transmitted to the user device 17 . For example, the transmission to the user device 17 may be performed periodically or according to other settings. For example, when a visitor is detected by the sensor 75 , an image or the like is transmitted to the user device 17 . In addition, the monitoring device 15 also transmits images and the like when requested by the user device 17 .

The IP line unit 63 constructs a VPN tunnel for the controller 61 to communicate with the communication management device 11 . Furthermore, a VPN tunnel for communication between the controller 61 and the user device 17 is constructed. The former corresponds to the center inter-terminal VPN 21 , and the latter corresponds to the inter-terminal VPN 25 . In these connections, the IP line unit 63 implements the function of a VPN client.

In FIG. 2 , an IP line unit 63 is shown as an internal configuration of the controller 61 . This represents the physical configuration. As a communication configuration, an IP line unit 63 is arranged between the controller 61 and the router 65 . Furthermore, the IP line unit 63 and the controller 61 are connected via an Ethernet (registered trademark) LAN. The router 65 is a router for broadband lines.

The multiline adapter 69 is connected to the central device 13 via the mobile telephone network. The multi-line adapter 69 is used to send an alert signal when the broadband line is blocked. An alert signal is sent from the controller 61 to the multi-line adapter 69 via the IP line unit 63 , and from the multi-line adapter 69 to the center device 13 .

The monitoring target PC 71 is a PC installed on the monitoring target 5 . In the example of this embodiment, the monitoring object 5 is a store. Therefore, the PC 71 to be monitored may be a PC for a shop.

Next, the user device 17 will be described. The user device 17 is composed of a VPN terminal device (hereinafter referred to as VTE) 81 , a router 81 , and a user PC (personal computer) 85 .

The VTE81 is a line termination device for broadband connections. Furthermore, the VTE 81 constructs the VPN server 35 and the VPN tunnel of the communication management device 11 , and constructs the IP line unit 63 and the VPN tunnel of the monitoring device 15 . In the former, VTE81 acts as a VPN client, and in the latter, VTE81 acts as a VPN server. The router 83 is a router for broadband lines.

VTE81 is connected to user PC85. The VTE 81 transfers images, sounds, and control signals received from the controller 61 of the monitoring device 15 to the user PC 85 . And VTE81 transfers the voice and control signal received from the user's PC85 to the controller 61.

In the present embodiment, the user location 7 is an office of a store owner or the like. Therefore, the user PC 85 may be the owner's PC of the store. The user PC 85 is used by the owner to view the surveillance image of the surveillance object 5 . In order to provide this function, an application program is installed in the user's PC 85 , and the monitoring image of the monitoring object 5 can be displayed and switched by communicating with the controller 61 .

In this embodiment, the user device 17 is stationary. However, the functions of the user device 17 can also be incorporated into a mobile terminal or the like so that it can be moved.

The overall configuration of the monitoring system 1 has been described above. Next, the characteristic configuration of the present invention will be described.

Fig. 3 shows a part of the monitoring system 1 shown in Figs. 1 and 2, and is a main part of the present invention. In FIG. 3 , the elements described in FIG. 1 and FIG. 2 are denoted by the same reference numerals.

As shown in FIG. 3 , the communication management device 11 includes a license information storage unit 101 and a license processing unit 103 in addition to the VPN server 35 and the SIP server 37 . The permission information storage unit 101 stores connection permission information indicating a combination of terminals (monitoring device 15 and user device 17 ) to be allowed to connect. Then, the permission processing unit 103 refers to the connection permission information, and judges whether or not to permit the connection between the terminals. The license information storage unit 101 and the license processing unit 103 are respectively realized by the database 43 and the account management server 41 in FIG. 2 .

FIG. 4 shows an example of connection permission information to be stored in the permission information storage unit 101 . In this example, the connection permission information is a table showing combinations of terminal IDs. This table associates each user (store owner), monitoring device ID (ID of monitoring device 15 ), and user device ID (ID of user device 17 ) with each other. The monitoring device ID and the user device ID are arbitrary information that can identify the monitoring device 15 and the user device 17 . In the example described later, the monitoring device ID is the ID of the IP line unit 63, and the user device ID is the ID of the VTE81.

There are cases where one owner owns a plurality of stores. In this case, one monitoring device 15 is combined with a plurality of user devices 17 . In the example of FIG. 4, the user C has two stores, and two monitoring devices 15 (C01, C02) are associated with the user device 17 (C11). In addition, when one owner uses a plurality of user devices 17 , one monitoring device 15 may correspond to a plurality of user devices 17 .

Returning to FIG. 3 , in the monitoring device 15 , the IP line unit 63 has a SIP processing unit 111 , a VPN processing unit 113 , and a storage unit 115 . The SIP processing unit 111 and the VPN processing unit 113 perform processing related to SIP and VPN, respectively. The storage unit 115 stores various information processed by the IP line unit 63 . Particularly in the present invention, the storage section 115 stores the IP address and the electronic certificate of the IP line unit 63 . These pieces of information correspond to the connection establishment information of the present invention, and are provided to a connection partner for a VPN connection. Furthermore, the storage unit 115 stores the IP line unit ID (ID of the IP line unit 63 ) used as the ID of the monitoring object 5 .

As shown in FIG. 3 , the VTE 81 of the user device 17 also has a SIP processing unit 121 , a VPN processing unit 123 , and a storage unit 125 . Storage unit 125 stores the IP address and electronic certificate of VTE 81 . Furthermore, the storage unit 125 stores VTE-ID (ID of the VTE 81 ).

Next, the operation of this embodiment will be described. Here, the operation at the time of constructing the inter-terminal VPN 25 , that is, the operation at the time of performing the VPN connection between the monitoring device 15 and the user device 17 will be described.

First, an outline of the operation will be described. As mentioned above, between the communication management apparatus 11 and the monitoring apparatus 15, VPN21 between center terminals is always constructed. Between the communication management device 11 and the user device 17, a center-to-terminal VPN 21 is always established. Unlike these center-to-terminal VPNs 21, an inter-terminal VPN 25 is directly constructed between the monitoring device 15 and the user device 17 by the following operations.

Information is exchanged when connecting to the VPN25 between terminals. In this embodiment, IP addresses and electronic certificates are exchanged between the monitoring device 15 and the user device 17 . This embodiment focuses on SIP as the means for this information exchange. In the information notification of SIP, messages are exchanged between terminals. Add the aforementioned IP address and electronic certificate to the SIP message. In this way, information exchange for preparing to construct the inter-terminal VPN 25 can be performed by the information notification of the SIP.

In the basic function of SIP, a SIP connection is established between arbitrary addresses registered in the SIP server 37 . In this case, there is a possibility that the monitoring device 15 is connected to an unrelated user device 17, which is not good in terms of safety. In consideration of this point, in this embodiment, signaling is performed as follows. Hereinafter, one of the monitoring device 15 and the user device 17 will be referred to as a SIP connection source terminal, and the other will be referred to as a SIP connection destination terminal. And, the message of SIP is transmitted through VPN21 between center terminals.

Referring to FIG. 5 , first, the connection source terminal transmits an INVITE message (specifically, a SIP INVITE message, the same applies hereinafter) to the SIP server 37 ( S1 ). The ID of the connection source terminal, the ID of the connection destination terminal, the IP address of the connection source terminal, and the electronic certificate are attached to the INVITE message.

After receiving the INVITE message, the SIP server 37 provides the ID of the connection source terminal and the ID of the connection destination terminal to the license processing unit 103, and asks the permission processing unit 103 whether the connection source terminal and the connection destination terminal can be connected (S3). The permission processing unit 103 refers to the connection permission information of the permission information storage unit 101, and judges whether or not the connection is permitted (S5). If the combination of the connection source terminal and the connection destination terminal is registered in the permission information storage unit 101, the connection is permitted.

The SIP server 37 receives the license result from the license processing unit 103 (S7). When the connection is permitted by the permission processing unit 103, the SIP server 37 transmits an INVITE message to the connection destination terminal (S9). The INVITE message includes the IP address of the connection source terminal and the electronic certificate.

After receiving the INVITE message, the connected terminal sends an OK message (specifically, a SIP 2000K message, the same below) to the SIP server 37 (S11). The OK message is attached with the IP address and electronic certificate of the connecting terminal. This OK message is sent to the connection source terminal via the SIP server 37 (S13). Thereby, the IP address and the electronic certificate are exchanged by the information notification of the SIP. Then, when establishing a VPN between terminals, authentication is performed by the electronic certificate included in the connection request and the previously exchanged electronic certificate, and the inter-terminal VPN 25 is established (S15).

As described above, in the present embodiment, the SIP server 37 receives the INVITE message and performs the process of permitting the combination of terminals. If the connection is not permitted, the INVITE message will not be sent to the connected terminal, nor will the subsequent SIP processing and VPN processing be performed. Only when the combination of the monitoring device 15 and the user device 17 is appropriate, the connection is permitted, an INVITE message is sent to the connection destination terminal, the subsequent SIP processing is performed, and finally the VPN connection can be performed.

Next, the operation of the monitoring system 1 will be described in detail with reference to FIGS. 6 and 7 . Among them, first, the case where the monitoring device 15 is the connection source terminal will be described, and then the case where the user device 17 is the connection source will be described.

In the time chart of FIG. 6 , the controller 61 and the IP line unit 63 constitute the monitoring device 15, the SIP server 37 and the license information storage unit 101 (account management server 41) constitute the communication management device 11, and the VTE 81 and the user The PC 85 is a configuration of the user device 17 .

The controller 61 transmits a connection instruction (P2P connection instruction) including the VTE-ID (ID of the VTE 81 ) to the IP line unit 63 ( S101 ). Here, VTE-ID is used as the terminal ID of the connection.

The IP line unit 63 reads the IP line unit IP address (the IP address of the IP line unit 63 ) and the IP line unit individual certificate from the storage unit 115 . The IP line unit individual certificate is an electronic certificate assigned to each IP line. Then, the IP line unit 63 reads out the IP line unit ID (ID of the IP line unit 63 ) which is the connection source terminal ID from the storage unit 115 . And, the IP line unit 63 attaches this information to the INVITE message, and then transmits the INVITE message to the SIP server 37 (S103). Specifically, the INVITE message includes the IP address of the IP line unit, the ID of the IP line unit, the VTE-ID, and the individual certificate of the IP line unit.

The SIP server 37 receives the INVITE message, transmits the IP line unit ID and VTE-ID to the permission processing unit 103, and inquires whether the connection is permitted (S105). The permission processing unit 103 refers to the connection permission information of the permission information storage unit 101 to determine whether to permit the connection (S107). Here, the table of FIG. 4 is read out. The permission processing unit 103 then judges whether or not the inquired combination of terminal IDs is registered in the table. If the corresponding combination is already registered, the permission processing section 103 permits the connection. The license result is sent from the license processing unit 103 to the SIP server 37 (S109). When the permission processing unit 103 permits the connection, the SIP server 37 transmits an INVITE message to the VTE 81 (S111). The INVITE message is attached with the IP line unit IP address and the IP line unit individual certificate.

In the above processing, if the connection is not permitted in step S107, the SIP server 37 does not send the INVITE message to the VTE 81. Therefore, subsequent SIP processing is not performed, nor is subsequent VPN connection performed.

After receiving the INVITE message, the VTE 81 stores the IP address of the IP line unit and the individual certificate of the IP line unit in the storage unit 125, and inquires about a connection request (P2P connection request) to the user PC 85 (S113). This connection request is attached with the IP line unit IP address. Thereafter, the user PC 85 sends a connection response to the VTE 81 (S115).

The VTE 81 reads a VTE-IP address (IP address of the VTE 81 ) and a VTE individual certificate (an electronic certificate assigned to the VTE 81 ) from the storage unit 125 . Then, VTE 81 transmits an OK message to SIP server 37 (S117). The OK message is appended with the VTE-IP address and the VTE individual certificate.

The SIP server 37 sends the OK message to the IP line unit 63 together with the VTE-IP address and the VTE individual certificate (S119). After the IP line unit 63 receives the OK message, the VTE-IP address and the VTE individual certificate are saved by the storage unit 115, and the ACK message is sent to the SIP server 37 (S121), and further, the SIP server 37 sends the ACK message to the VTE81 (S123) .

In the above process, the IP line unit 63 obtains the IP address and the electronic certificate of the VTE81. And, the VTE 81 acquires the IP address and electronic certificate of the IP line unit 63 . Therefore, it is possible to establish a VPN connection between the IP line unit 63 and the VTE 81 by using these pieces of information to identify the other party. This is the VPN25 between terminals.

As shown in the figure, the IP line unit 63 makes a VPN connection request to the VTE 81 (S125). Here, the VPN connection is requested directly without resorting to the SIP server 37 . The VTE 81 authenticates with the individual certificate of the IP line unit included in the VPN connection request and the individual certificate of the IP line unit stored in the storage unit 125, and sends the arrival information including the IP address of the target IP line unit to the user PC 85 (S127 ). The IP line unit IP address is used by the user PC 85 during VPN communication. Then, the VTE 81 as a VPN server notifies the IP line unit 63 that the VPN connection process has been performed (S129). The IP line unit 63 notifies the controller 61 that the connection result is OK, and notifies the controller 61 of the VTE-IP address of the object (S131). The VTE-IP address is used by the controller 61 during VPN communication. Thereby, a VPN connection is established, and communication is performed through the inter-terminal VPN 25 . Surveillance video, audio, and the like are supplied from the monitoring device 15 to the user device 17 .

Next, a case where the user device 17 is the connection source will be described with reference to FIG. 7 . The user (host) inputs, for example, an instruction to display a video to the user PC 85 . The user PC 85 transmits a connection instruction (P2P connection instruction) including the IP line unit ID to the VTE 81 (S201). Here, the IP line unit ID is used as the ID of the connected terminal.

The VTE 81 reads out the VTE-IP address and the VTE individual certificate from the storage unit 125 . Then, the VTE 81 reads the VTE-ID which is the connection source terminal ID from the storage unit 125 . And, VTE81 attaches these pieces of information to the INVITE message, and transmits the INVITE message to the SIP server 37 (S203). Specifically, the INVITE message includes VTE-IP address, VTE-ID, IP line unit ID and VTE individual certificate.

The SIP server 37 receives the INVITE message, transmits the VTE-ID and the IP line unit ID to the permission processing unit 103, and inquires whether the connection is permitted (S205). The permission processing unit 103 refers to the connection permission information of the permission information storage unit 101 in the same manner as above, judges whether to allow the connection (S207), and sends the permission result to the SIP server 37 (S209). That is, if the combination of VTE-ID and IP line unit ID is already registered, connection is permitted. After the permission processing unit 103 permits the connection, the SIP server 37 transmits an INVITE message to the IP line unit 63 (S211). The INVITE message is attached with the VTE-IP address and the VTE individual certificate.

In the above processing, if the connection is not permitted in step S207, the SIP server 37 does not transmit the INVITE message to the IP line unit 63. Therefore, the subsequent SIP processing is not performed, and the subsequent VPN connection is also not performed.

After receiving the INVITE message, IP line unit 63 stores the VTE-IP address and VTE individual certificate in storage unit 115 . Then, the IP line unit 63 makes an inquiry of a connection request (P2P connection request) to the controller 61 (S213). This connection request is attached with a VTE-IP address. The controller 61 then sends a connection response to the IP line unit 63 (S215).

The IP line unit 63 reads out the IP line unit IP address and the IP line unit individual certificate from the storage unit 115 . And, the IP line unit 63 transmits an OK message to the SIP server 37 (S217). The OK message is attached with the IP line unit IP address and the IP line unit individual certificate.

The SIP server 37 transmits the OK message to the VTE 81 together with the IP line unit IP address and the IP line unit individual certificate (S219). After receiving the OK message, the VTE 81 saves the IP line unit IP address and the IP line unit individual certificate in the storage unit 125, returns an ACK message to the SIP server 37 (S221), and notifies the user PC 85 that the SIP connection is established (S223) . The SIP server 37 sends the ACK message to the IP line unit 63 (S225).

During the above process, IP addresses and electronic certificates are exchanged between the IP line unit 63 and the VTE 81 . After receiving the ACK message, the IP line unit 63 makes a VPN connection request to the VTE 81 (S227). The VPN connection is performed without passing through the SIP server 37 . The VTE 81 transmits arrival information including the target VTE-IP address to the user PC 85 (S229). Then, the VTE 81 as a VPN server notifies the IP line unit 63 that the process of VPN connection has been performed (S231). The IP line unit 63 transmits the arrival information including the VTE-IP address of the object to the controller 61 (S233). Thereby, a VPN connection is established, and communication is performed through the inter-terminal VPN 25 .

As shown in FIG. 6 and FIG. 7 , in the processing in both figures, a VPN connection request is sent from the IP line unit 63 to the VTE 81 . The reason for this is as follows. In a VPN, a connection request needs to be sent from the client to the server. In this embodiment, the function of the VPN server is only set in VTE81. Therefore, in both FIG. 6 and FIG. 7 , the VPN connection request is sent from the IP line unit 63 to the VTE 81 .

Preferred embodiments of the present invention have been described above. According to this embodiment, a plurality of terminals (monitoring device 15 , user device 17 ) are connected to communication management device 11 having SIP server 37 . As shown in FIG. 3 , the communication management device 11 has a license information storage unit 101 and a license processing unit 103 in addition to the SIP server 37 . In the information notification of SIP, an INVITE (invite) message is sent from the connection source terminal to the SIP server. At this time, the permission processing unit 103 judges whether or not to permit the connection. Only when the permission processing unit 103 permits the connection, the SIP server 37 transmits the INVITE message from the connection source terminal to the connection destination terminal, and the SIP information notification is successful.

Therefore, in the present invention, information on combinations of terminals whose connection is to be permitted is stored in advance, and connection between terminals is permitted at the time of notification of SIP information. Thereby, instead of simple authentication between the terminal and the SIP server 37, P2P permission can be performed between the terminals intervening in the SIP server 37, and users of monitoring information can be restricted appropriately. Thereby, the security at the time of applying SIP to the monitoring system 1 can be improved.

Furthermore, in the present invention, connection establishment information used to establish a connection between terminals without using the communication management device 11 may be added to the exchange of the INVITE message and the OK message in the SIP information notification. As a result, connection establishment information can be exchanged between the terminals to establish a connection between the terminals. Therefore, connections between terminals can be performed favorably using SIP. In addition, the amount of communication between the communication management device 11 and the terminal can be reduced, and the load on the communication management device 11 can be reduced.

Furthermore, in this embodiment, an IP address and an electronic certificate are used as connection establishment information as an example for description, but instead of the electronic certificate, other information may be used for object authentication. For example, a common name or the like included in the electronic certificate may be used as connection establishment information.

Furthermore, according to the present invention, the inter-terminal VPN 25 that does not intervene in the inter-terminal connection of the communication management device 11 and establishes a VPN between the terminals and connects them may be used. The two-way information exchange in the information notification of SIP can be applied to the exchange of information required to establish a VPN connection, and security can be improved by using a VPN.

Also, according to the present invention, the INVITE message includes the IP address of the connection source terminal and the electronic certificate as connection establishment information, and the OK message includes the IP address of the connection destination terminal and the electronic certificate as connection establishment information. Thereby, information used for VPN connection can be exchanged favorably by using SIP, and secure communication can be performed between terminals.

Also, according to the present invention, the communication management device 11 may be installed in the monitoring center 3 . Thereby, the communication between the monitoring center 3 and the terminal and the communication between the terminals can be satisfactorily performed by the communication management device 11 .

And, according to the present invention, the connection between the communication management device 11 and a plurality of terminals can be connected through the center terminal VPN 21 that has constructed a VPN between the communication management device 11 and a plurality of terminals, and the SIP server 37 can communicate with each other through the center terminal VPN 21. Multiple terminals perform SIP message communication. Thereby, SIP communication is performed on VPN21 between center terminals. The inter-terminal VPN 25 established after the SIP call is a VPN between terminals, and the center inter-terminal VPN 21 is a VPN between the communication management device 11 and terminals. By using VPN21 between center terminals, the security of the communication of the monitoring center 3 and each terminal can be ensured, and the security of SIP communication can be ensured.

Furthermore, according to the present invention, the surveillance information may include at least one of images captured by the surveillance object 5, surveillance signals detected by the surveillance object 5, and control information generated by the user. Thereby, monitoring information can be communicated between terminals.

Preferred embodiments of the present invention have been described above. However, the present invention is not limited to the above-mentioned embodiments, and those skilled in the art can certainly modify the above-mentioned embodiments within the scope of the present invention.

The presently considered preferred embodiment of the present invention has been described above, but various modifications can be made to this embodiment, and all modifications within the true spirit and scope of the present invention are included in the scope of claims.

Possibility of industrial use

As described above, the monitoring system according to the present invention is suitable for remote monitoring of shops and the like through communication.

Claims (4)

1. A kind of monitoring system, has: be arranged on the monitoring object side terminal of monitoring object; Be arranged on the user side terminal of user side, use the above-mentioned monitoring information that receives from above-mentioned monitoring object side terminal; And manage above-mentioned monitoring object side A communication management device for communication between a terminal and the above-mentioned user-side terminal, and the above-mentioned monitoring system are characterized in that The monitoring object side terminal has a function of acquiring the monitoring information of the monitoring object and sending it to the user side terminal, The user side terminal has a function of monitoring the monitoring target using the monitoring information received from the monitoring target side terminal, The monitoring system is configured such that, when one of the monitoring target terminal or the user terminal requests a connection from the other, the connection source terminal sends the information including its own IP address, electronic certificate, and identification information of the terminal to which it is connected. The invitation message of SIP is sent to the above-mentioned communication management device, and the above-mentioned monitoring object side terminal and the above-mentioned user side terminal are as a group of terminals having different functions from each other; The communication management device above has: a SIP server; a permission information storage unit storing connection permission information indicating a corresponding combination of a monitoring target terminal and a user terminal which are a group of terminals having different functions from each other to which the connection should be permitted; and The permission processing unit refers to the connection permission information to determine whether to permit the connection between the monitoring object side terminal and the user side terminal, The SIP server, when obtaining the invitation message from the connection source terminal, provides the identification information of the connection destination terminal included in the invitation message to the permission processing unit, and when the permission processing unit permits the monitoring target terminal and the user When connecting between terminals on the side, the SIP server provides an invitation message from the connection source terminal to the connection destination terminal, When the connected terminal receives the invitation message from the communication management device, it sends a SIP OK message including its own IP address and electronic certificate to the communication management device, The terminals at the connection source and the connection destination use the IP addresses and electronic certificates of the terminals exchanged in the INVITE message and the OK message to establish non-intervention in the communication management between the terminals at the connection source and the connection destination after the SIP session is established. Device-to-terminal connections. 2. The monitoring system according to claim 1, characterized in that, The inter-terminal connection without intervening the above-mentioned communication management device is an inter-terminal VPN in which a VPN is constructed and connected between terminals. 3. The monitoring system according to claim 1, characterized in that, The connection between the above-mentioned communication management device and the above-mentioned monitoring object side terminal or user-side terminal is connected through a center-terminal VPN in which a VPN is constructed between the above-mentioned communication management device and the above-mentioned monitoring object-side terminal or user-side terminal, The said SIP server communicates a SIP message with the said monitoring target side terminal or a user side terminal through the said center inter-terminal VPN. 4. The monitoring system according to any one of claims 1 to 3, characterized in that, The monitoring information includes at least one of an image captured by the monitoring target, a monitoring signal detected by the monitoring target, and control information generated by the user.