[go: up one dir, main page]

CN112562151B - An Access Control System Based on Bloom Filter - Google Patents

An Access Control System Based on Bloom Filter Download PDF

Info

Publication number
CN112562151B
CN112562151B CN202011393624.6A CN202011393624A CN112562151B CN 112562151 B CN112562151 B CN 112562151B CN 202011393624 A CN202011393624 A CN 202011393624A CN 112562151 B CN112562151 B CN 112562151B
Authority
CN
China
Prior art keywords
token
access control
personnel
access
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011393624.6A
Other languages
Chinese (zh)
Other versions
CN112562151A (en
Inventor
刘津
赵山
许晓笛
刘金伟
马少博
张哲铭
王亚楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202011393624.6A priority Critical patent/CN112562151B/en
Publication of CN112562151A publication Critical patent/CN112562151A/en
Application granted granted Critical
Publication of CN112562151B publication Critical patent/CN112562151B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Lock And Its Accessories (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an access control system based on a bloom filter, which belongs to the technical field of software engineering/system software, and the invention directly intercepts unauthorized personnel by arranging the bloom filter at the access control end, thereby accelerating the identification speed of the unauthorized personnel, reducing the access to a rear-end database, being capable of being used in combination with a mobile phone NFC identification technology or a face recognition technology, improving the interception efficiency of the access control system, reducing the false identification rate caused by false triggering, and being more suitable for the automatic identification scene with high mobility and dense access of personnel.

Description

一种基于布隆过滤器的门禁系统An Access Control System Based on Bloom Filter

技术领域technical field

本发明涉及软件工程/系统软件技术领域,尤其涉及一种基于布隆过滤器的门禁系统。The invention relates to the technical field of software engineering/system software, in particular to an access control system based on a Bloom filter.

背景技术Background technique

门禁系统是智能建筑领域的概念,指“门”的禁止权限,是对“门"的戒备防范。这里的“门”,广义来说,包括能够通行的各种通道,包括人通行的门,车辆通行的门等。因此,门禁也包括了车辆门禁。The access control system is a concept in the field of intelligent buildings, which refers to the prohibition authority of the "door", and is the guard against the "door". The "door" here, in a broad sense, includes all kinds of passages that can pass, including doors for people and vehicles. Therefore, access control also includes vehicle access control.

出入口门禁安全管理系统是新型现代化安全管理系统,它集微机自动识别技术和现代安全管理措施为一体,它涉及电子,机械,光学,计算机技术,通讯技术,生物技术等诸多新技术。它是解决重要部门出入口实现安全防范管理的有效措施。适用各种机要部门,如银行、宾馆、车场管理、机房、军械库、机要室、办公间,智能化小区,工厂等。Entrance and exit access control safety management system is a new modern safety management system, which integrates microcomputer automatic identification technology and modern safety management measures. It involves many new technologies such as electronics, machinery, optics, computer technology, communication technology, and biotechnology. It is an effective measure to solve the security management of the entrance and exit of important departments. Applicable to various confidential departments, such as banks, hotels, parking lot management, computer rooms, armories, confidential rooms, offices, intelligent communities, factories, etc.

门禁系统早已超越了单纯的门道及钥匙管理,它已经逐渐发展成为一套完整的出入管理系统。它在工作环境安全、人事考勤管理等行政管理工作中发挥着较大的作用。The access control system has already surpassed the simple doorway and key management, and it has gradually developed into a complete access management system. It plays an important role in administrative management such as working environment safety and personnel attendance management.

布隆过滤器是1970年由布隆提出的。它实际上是一个很长的二进制向量和一系列随机映射函数。布隆过滤器可以用于检索一个元素是否在一个集合中。它的优点是空间效率和查询时间都比一般的算法要好的多,缺点是有一定的误识别率和删除困难。The Bloom filter was proposed by Bloom in 1970. It's actually a long binary vector and a series of random mapping functions. Bloom filters can be used to retrieve whether an element is in a set. Its advantage is that the space efficiency and query time are much better than the general algorithm, but the disadvantage is that there is a certain rate of misrecognition and difficulty in deletion.

在布隆过滤器出现前,如果想要判断一个元素是不是在一个集合里,一般的做法是将所有元素保存起来,然后通过比较确定。但是随着集合中元素的增加,需要的存储空间越来越大,检索速度也越来越慢(O(n),O(logn))。布隆过滤器的底层原理是散列(又叫哈希,Hash)算法。散列算法(Hash,一般翻译做散列、杂凑,或音译为哈希),是把任意长度的输入(又叫做预映射pre-image)通过散列算法变换成固定长度的输出,该输出就是散列值。这种转换是一种压缩映射,也就是,散列值的空间通常远小于输入的空间,不同的输入可能会散列成相同的输出,所以不可能从散列值来确定唯一的输入值。简单的说就是一种将任意长度的消息压缩到某一固定长度的消息摘要的函数。[3]散列表(又叫哈希表,Hash table)是通过一个Hash函数将一个元素映射成一个位阵列(Bit array)中的一个或几个点的数据结构。通过比较散列表中位阵列的点上的数值(0或1)是否与需要判断的元素经过哈希函数散列后的位阵列的对应位一致,就能判断该元素是否不存在于已知的哈希表中。这就是布隆过滤器的基本思想。Before the Bloom filter appeared, if you wanted to determine whether an element was in a collection, the general approach was to save all the elements and then determine through comparison. However, as the number of elements in the collection increases, the storage space required becomes larger and larger, and the retrieval speed becomes slower (O(n), O(logn)). The underlying principle of the Bloom filter is the hash (also called hash, Hash) algorithm. Hash algorithm (Hash, generally translated as hash, hash, or transliterated as hash), is to transform an input of any length (also called pre-mapped pre-image) into a fixed-length output through a hash algorithm, and the output is the hash value. This conversion is a compression map, that is, the space of the hash value is usually much smaller than the space of the input, and different inputs may hash to the same output, so it is impossible to determine the unique input value from the hash value. Simply put, it is a function to compress a message of any length into a fixed-length message digest. [3] A hash table (also called a hash table, Hash table) is a data structure that maps an element into one or several points in a bit array (Bit array) through a Hash function. Whether the element does not exist in the known hash table can be judged by comparing whether the value (0 or 1) on the point of the bit array in the hash table is consistent with the corresponding bit of the bit array after the element to be judged is hashed by the hash function. This is the basic idea of Bloom filter.

相比于其它的数据结构,布隆过滤器在空间和时间方面都有巨大的优势。布隆过滤器存储空间和插入/查询时间都是常数。另外,Hash函数相互之间没有关系,方便由硬件并行实现。布隆过滤器不需要存储元素本身,在某些对保密要求非常严格的场合有优势。Compared with other data structures, Bloom filters have huge advantages in space and time. Both Bloom filter storage space and insert/query time are constant. In addition, Hash functions have no relationship with each other, which is convenient for parallel implementation by hardware. The Bloom filter does not need to store the element itself, which has advantages in some occasions where confidentiality requirements are very strict.

布隆过滤器工作的特点是,当布隆过滤器判断某个值存在时,这个值可能不存在;当布隆过滤器判断某个值不存在时则一定不存在。The characteristic of the Bloom filter is that when the Bloom filter judges that a certain value exists, the value may not exist; when the Bloom filter judges that a certain value does not exist, it must not exist.

发明内容Contents of the invention

基于以上问题,本发明提供了一种基于布隆过滤器的门禁系统,通过引入布隆过滤器对请求通过门禁系统的人员进行身份识别码验证,以实现更快地识别未授权人员并阻止其通过门禁系统,并降低误触发导致的错误识别率的目的。Based on the above problems, the present invention provides a Bloom filter-based access control system, by introducing a Bloom filter to verify the identity code of the person requesting to pass through the access control system, so as to realize faster identification of unauthorized personnel and prevent them from passing through the access control system, and reduce the false recognition rate caused by false triggering.

基于布隆过滤器的以上特点,发明一种门禁系统,将社区或单位内部人员的身份识别码录入到布隆过滤器,通过布隆过滤器对请求通过门禁系统的人员进行身份识别码判断,阻止未授权人员通过门禁系统,并通过软件系统维护人员的身份识别码,进行身份登记,访客登记等操作,并通过定时任务定期刷新布隆过滤器,实现系统授权人员的更新维护。Based on the above characteristics of the Bloom filter, an access control system is invented, which inputs the ID code of the internal personnel of the community or unit into the Bloom filter, and judges the ID code of the person requesting to pass through the access control system through the Bloom filter, prevents unauthorized personnel from passing through the access control system, and performs operations such as identity registration and visitor registration through the software system to maintain the ID code of the personnel, and regularly refreshes the Bloom filter through a scheduled task to realize the update and maintenance of system authorized personnel.

本发明的技术方案是:Technical scheme of the present invention is:

一种基于布隆过滤器的门禁系统,由1)门禁终端、2)门禁管理端、3)门禁核心系统和4)数据库组成;An access control system based on Bloom filter, consisting of 1) access control terminal, 2) access control management terminal, 3) access control core system and 4) database;

1)门禁终端由识别器、布隆过滤器和门禁控制器组成;其中1) The access control terminal is composed of an identifier, a Bloom filter and an access control controller; where

其中识别器用于识别请求通过门禁人员的身份信息;门禁人员的身份信息包括人脸识别、指纹识别或NFC读卡器;Among them, the identifier is used to identify the identity information of the person requesting to pass through the access control; the identity information of the access control personnel includes face recognition, fingerprint recognition or NFC card reader;

如果是人脸识别,该组件的功能就是从人脸信息中提取特征码(face id),如果是NFC读卡器,就是读取卡ID信息。If it is face recognition, the function of this component is to extract the feature code (face id) from the face information, and if it is an NFC card reader, it is to read the card ID information.

布隆过滤器用于验证人员身份信息是否不存在,拦截无效请求;Bloom filter is used to verify the absence of personal identity information and intercept invalid requests;

控制器用于控制门的开启关闭,并向人员反馈身份核验结果;The controller is used to control the opening and closing of the door, and feedback the identity verification result to the personnel;

2)门禁管理端由准入规则维护、令牌维护和人员维护三个功能模块组成;其中2) The access control management terminal is composed of three functional modules: access rule maintenance, token maintenance and personnel maintenance;

通过准入规则维护功能设定修改门禁系统的准入规则;Use the access rule maintenance function to set and modify the access rules of the access control system;

通过人员维护录入可以通过门禁的人员名单;Enter the list of personnel who can pass through the access control through personnel maintenance;

通过令牌维护功能为人员申请和注销令牌;Apply for and cancel tokens for personnel through the token maintenance function;

3)门禁核心系统由准入控制、令牌管理、人员管理和过滤器维护四个服务组成;其中3) The access control core system consists of four services: access control, token management, personnel management and filter maintenance;

准入控制服务用于维护准入规则,并根据准入规则对人员进行身份验证,向门禁终端控制器发送放行或拒绝放行信号;The access control service is used to maintain the access rules, verify the identity of the personnel according to the access rules, and send a release or refusal signal to the access control terminal controller;

令牌管理服务用于为人员申请令牌或注销令牌,已经令牌的有效期维护;The token management service is used to apply for tokens or cancel tokens for personnel, and maintain the validity period of tokens;

人员管理服务用于维护门禁系统的人员信息;The personnel management service is used to maintain the personnel information of the access control system;

过滤器维护服务用于生成令牌后向过滤器装入令牌信息或定期重置过滤器;The filter maintenance service is used to load token information into the filter after generating the token or reset the filter periodically;

4)数据库用于保存准入规则、人员令牌和人员信息。4) The database is used to save access rules, personnel tokens and personnel information.

进一步的,通过门禁管理端的准入规则维护功能设定准入规则,门禁管理端调用准入控制服务将设定的准入规则信息更新到数据库。Further, the access rule is set through the access rule maintenance function of the access control management terminal, and the access control management terminal invokes the access control service to update the set access rule information to the database.

进一步的,通过线下汇总人员信息,并使用门禁管理端的人员维护功能录入和更新人员信息,门禁管理端调用门禁核心系统的人员管理服务更新数据库中的人员信息。Further, by summarizing personnel information offline, and using the personnel maintenance function of the access control management terminal to input and update personnel information, the access control management terminal calls the personnel management service of the access control core system to update the personnel information in the database.

进一步的,further,

门禁系统管理员收到请求通过门禁系统人员的线下申请后,通过门禁管理端的令牌维护功能为通过审核的人员申请令牌,令牌维护功能调用门禁核心系统的令牌管理服务生成令牌,并存入数据库,然后更新人员信息的令牌属性,调用过滤器维护服务将令牌信息装入门禁终端的布隆过滤器,最后持久化更新令牌信息后的人员信息到数据库。After the administrator of the access control system receives the request to pass the offline application of the personnel in the access control system, he applies the token maintenance function for the personnel who have passed the review through the token maintenance function of the access control management terminal. The token maintenance function calls the token management service of the access control core system to generate a token and stores it in the database, then updates the token attribute of the personnel information, calls the filter maintenance service to load the token information into the Bloom filter of the access control terminal, and finally persists the personnel information after updating the token information to the database.

当人员不再需要通过门禁系统时,门禁系统管理员通过门禁管理端的令牌维护功能将令牌作注销处理,令牌维护功能调用门禁核心系统的令牌管理服务更新令牌信息为失效,并保存令牌信息到数据库。When personnel no longer need to pass through the access control system, the administrator of the access control system will cancel the token through the token maintenance function of the access control management terminal. The token maintenance function calls the token management service of the access control core system to update the token information as invalid, and save the token information to the database.

进一步的,further,

当门禁系统管理员申请令牌后,门禁核心系统的令牌管理服务调用过滤器维护服务将令牌信息加入布隆过滤器,当门禁系统管理员注销令牌或令牌到期后,布隆过滤器不会立即更新令牌信息,需要通过夜间定时任务清空布隆过滤器后,重新将令牌装入过滤器。After the access control system administrator applies for a token, the token management service of the access control core system calls the filter maintenance service to add the token information to the Bloom filter. When the access control system administrator cancels the token or the token expires, the Bloom filter will not update the token information immediately. It is necessary to clear the Bloom filter through the nightly scheduled task and then reload the token into the filter.

当人员申请通过门禁时,先通过门禁终端的识别器进行令牌认证,识别器获取令牌信息后先将其传送给布隆过滤器进行对比验证;When a person applies for access control, the token authentication is first performed through the identifier of the access control terminal, and after the identifier obtains the token information, it is first sent to the Bloom filter for comparison and verification;

如果布隆过滤器判定该令牌不存在,则门禁控制器提示人员未授权,拒绝人员通过;If the Bloom filter determines that the token does not exist, the access controller prompts that the person is not authorized and refuses the person to pass through;

如果布隆过滤器判定该令牌可能存在,则识别器将令牌信息发送到门禁核心系统的准入控制服务,并申请准入;If the Bloom filter determines that the token may exist, the recognizer sends the token information to the admission control service of the access control core system and applies for admission;

准入控制服务收到识别器的准入请求后,通过令牌管理查询该令牌是否存在且未过期,如果令牌不存在或已过期,则门禁控制器提示人员令牌不存在或已过期,拒绝人员通过。After the admission control service receives the admission request from the identifier, it will query whether the token exists and has not expired through token management. If the token does not exist or has expired, the access control controller will prompt the personnel that the token does not exist or has expired, and refuse the personnel to pass.

如果令牌验证有效,则准入控制服务调用令牌管理服务通过令牌查询人员信息,调用准入控制服务查询准入规则,判定人员类型和当前时间是否满足准入规则,如满足规则准入控制器向门禁终端控制器返回准入指令,门禁控制器开门并提示欢迎信息,否则门禁控制器提示用户权限不足,拒绝人员进入。If the token verification is valid, the access control service calls the token management service to query personnel information through the token, calls the access control service to query the access rules, and determines whether the type of person and the current time meet the access rules. If the rules are met, the access controller returns an access command to the access control terminal controller, and the access control controller opens the door and prompts welcome information. Otherwise, the access control controller prompts that the user has insufficient authority and refuses entry.

本发明通过使用布隆过滤器对人员身份标识进行是否存在于已知数据集合的判断,借助于布隆过滤器易实现、识别效率高的特点,应用于门禁系统的识别端并提供门禁管理端系统,可以配合多种技术实现方式(人脸识别、近场通信等)使用,用于解决社区或企事业单位人员身份识别的问题。The present invention uses a Bloom filter to judge whether a person's identity exists in a known data set. With the help of the Bloom filter's characteristics of easy implementation and high recognition efficiency, it is applied to the identification end of the access control system and provides an access control management end system. It can be used in conjunction with various technical implementation methods (face recognition, near-field communication, etc.) to solve the problem of personnel identification in communities or enterprises and institutions.

本发明的有益效果是The beneficial effect of the present invention is

相比于传统的门禁系统直接将授权人员识别码或面部特征码与后端数据库对比,本系统通过在门禁端前置布隆过滤器,将未授权人员直接拦截,加快了未授权人员的识别速度,并减少了对后端数据库的访问,可以配合手机NFC识别技术或人脸识别技术使用,提高门禁系统的拦截效率和降低误触发导致的错误识别率,更加适合人员流动性大、访问密集的自动化识别场景。Compared with the traditional access control system that directly compares the authorized personnel identification code or facial feature code with the back-end database, this system directly intercepts unauthorized personnel through the front-end Bloom filter at the access control end, speeding up the identification speed of unauthorized personnel and reducing access to the back-end database. It can be used with mobile phone NFC identification technology or face recognition technology to improve the interception efficiency of the access control system and reduce the false recognition rate caused by false triggers. It is more suitable for automated identification scenarios with high mobility and intensive access.

该门禁系统除独立作为门禁控制系统外,还可以通过扩展外部接口,配合公司考勤系统进行考勤统计和社区物业系统进行物业管理。In addition to being an independent access control system, the access control system can also cooperate with the company's attendance system for attendance statistics and community property system for property management by expanding the external interface.

附图说明Description of drawings

图1是布隆过滤器原理示意图;Figure 1 is a schematic diagram of the principle of a Bloom filter;

图2是系统架构示意图;Figure 2 is a schematic diagram of the system architecture;

图3是准入规则维护示意图;Figure 3 is a schematic diagram of access rule maintenance;

图4是准入规则维护活动图;Figure 4 is a diagram of access rule maintenance activities;

图5是人员维护示意图;Fig. 5 is a schematic diagram of personnel maintenance;

图6是人员维护活动图;Fig. 6 is a personnel maintenance activity diagram;

图7是令牌维护示意图;Figure 7 is a schematic diagram of token maintenance;

图8是申请令牌活动图;Figure 8 is an activity diagram for applying for a token;

图9是注销令牌活动图;Figure 9 is a logout token activity diagram;

图10是过滤器维护示意图;Figure 10 is a schematic diagram of filter maintenance;

图11是写入过滤器活动图;Figure 11 is a write filter activity diagram;

图12是清空过滤器活动图;Figure 12 is an activity diagram for emptying the filter;

图13是准入控制示意图;Figure 13 is a schematic diagram of admission control;

图14是准入控制活动图;Figure 14 is an admission control activity diagram;

图15是公司门禁示意图;Figure 15 is a schematic diagram of the company's access control;

图16是社区门禁示意图。Figure 16 is a schematic diagram of community access control.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例,基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts belong to the protection scope of the present invention.

如图1所示:布隆过滤器的数据结构是一个极其大的位数组(图中最下方),其中每一个bit位可以保存二进制的0或1。element1和element2是两个需要用散列(以下称hash)算法存入位数组的两个元素。f(e)、g(e)和h(e)是三个散列函数(以下称hash函数),需要被散列处理的元素作为入参提供给hash函数,通过不通的散列算法,会得出不同的值,该值最终被映射为位数组中不同的位,将对应位置为1即表示该元素通过hash函数计算后得到的值。当位数组极其大时,不同元素被hash函数映射后得到的位于位数组的点就会非常稀疏,从而不同元素散列后映射到相同点的概率会大大降低。As shown in Figure 1: the data structure of the Bloom filter is an extremely large bit array (the bottom of the figure), where each bit can store binary 0 or 1. element1 and element2 are two elements that need to be stored in the bit array using a hash (hereinafter referred to as hash) algorithm. f(e), g(e) and h(e) are three hash functions (henceforth referred to as hash functions). The elements to be hashed are provided as input parameters to the hash function. Through unreasonable hash algorithms, different values will be obtained, which are finally mapped to different bits in the bit array. Setting the corresponding position to 1 means that the element is calculated by the hash function. When the bit array is extremely large, the points located in the bit array obtained after different elements are mapped by the hash function will be very sparse, so that the probability of different elements being hashed and mapped to the same point will be greatly reduced.

向布隆过滤器添加元素时,会使用多个hash函数对元素进行hash,算得一个整数索引值,然后对位数组长度进行取模运算得到一个位置,每个hash函数都会算得一个不同的位置。再把位数组的这几个位都置为1,就完成了添加操作。When adding elements to the Bloom filter, multiple hash functions are used to hash the elements to calculate an integer index value, and then a modulo operation is performed on the length of the bit array to obtain a position. Each hash function will calculate a different position. Then set these bits of the bit array to 1, and the addition operation is completed.

向布隆过滤器查询元素是否存在时,和添加一样,也会把hash的几个位置都算出来,看看位数组中这几个位置是否都为1,只要有一个位为0,那么说明布隆过滤器中这个元素不存在。如果这几个位置都是1,并不能说明这个元素就一定存在,只是极有可能存在,因为这些位被置为1可能是因为其他的key存在所致。如果这个位数组足够大,存入的位比较稀疏,判断正确的概率就会非常大,否则就会比较低。When querying the Bloom filter for the existence of an element, like adding, it will also calculate several positions of the hash to see if these positions in the bit array are all 1. As long as one bit is 0, it means that the element does not exist in the Bloom filter. If these positions are all 1, it does not mean that this element must exist, but it is very likely to exist, because these bits are set to 1 may be caused by the existence of other keys. If the bit array is large enough and the stored bits are relatively sparse, the probability of correct judgment will be very high, otherwise it will be relatively low.

系统工作原理:System working principle:

系统管理员通过门禁系统管理端设置准入规则(准入时段或准入人员类型,为简化说明本文省略了人员角色相关内容,实际操作时可以考虑添加)并录入准入人员(通过线下收集人员信息)后,为准入人员申请和发放令牌(指纹、面部识别录入或IC卡制卡)。令牌管理模块在生成发放令牌后,通过过滤器维护模块将令牌传输至集成在门禁终端的布隆过滤器,布隆过滤器将对应令牌通过哈希函数映射到位数组的各个位上。当人员访问门禁系统申请准入(打卡/刷指纹/刷脸)时,识别器读取令牌信息后将令牌信息传输给布隆过滤器,过滤器使用同样的哈希函数进行映射,将映射后的结果与位数组中的各个位进行比对,如果有任何一位不同,则认为该请求准入人员持有的是无效令牌,直接拒绝其准入请求,否则将该令牌发送到门禁核心系统的准入控制模块,后者调用令牌管理模块查询申请准入的令牌是否存在于数据库中,并根据系统管理员维护的准入规则判定是否放行,如果可以放行则向门禁终端的控制器发送放行指令,允许人员通过。The system administrator sets the access rules through the management terminal of the access control system (the access time period or the type of the access personnel, for the sake of simplification, this article omits the relevant content of the personnel role, which can be added in actual operation) and enters the access personnel (collecting personnel information offline), and then applies for and issues tokens (fingerprint, facial recognition entry or IC card printing) for the access personnel. After the token management module generates and distributes the token, it transmits the token to the Bloom filter integrated in the access control terminal through the filter maintenance module, and the Bloom filter maps the corresponding token to each bit of the bit array through a hash function. When a person accesses the access control system to apply for access (punching card/swiping fingerprint/swiping face), the identifier reads the token information and transmits the token information to the Bloom filter. The filter uses the same hash function for mapping, and compares the mapped result with each bit in the bit array. If any bit is different, it is considered that the person requesting access holds an invalid token, and the access request is directly rejected. Otherwise, the token is sent to the access control module of the access control core system. The access rules maintained by the administrator determine whether to pass through, and if it is possible to pass through, send a pass instruction to the controller of the access control terminal to allow personnel to pass.

1、系统架构1. System Architecture

系统架构如图2所示,该门禁系统由门禁终端、门禁管理端、门禁核心系统和数据库组成。The system architecture is shown in Figure 2. The access control system consists of an access control terminal, an access control management terminal, an access control core system and a database.

门禁终端由识别器、布隆过滤器和门禁控制器组成。其中识别器用于识别请求通过门禁人员的身份信息,具体的实现可以是人脸识别、指纹识别或NFC读卡器(如果是人脸识别,该组件的功能就是从人脸信息中提取特征码(face id),如果是NFC读卡器,就是读取卡ID信息);布隆过滤器用于验证人员身份信息是否不存在,拦截无效请求;控制器用于控制门的开启关闭,并向人员反馈身份核验结果。The access control terminal consists of an identifier, a Bloom filter and an access control controller. Among them, the recognizer is used to identify the identity information of the person requesting to pass through the access control. The specific implementation can be face recognition, fingerprint recognition or NFC card reader (if it is face recognition, the function of this component is to extract the feature code (face id) from the face information, if it is an NFC card reader, it is to read the card ID information); Bloom filter is used to verify whether the identity information of the person does not exist, and intercept invalid requests; the controller is used to control the opening and closing of the door, and feedback the identity verification result to the personnel.

门禁管理端由准入规则维护、令牌维护和人员维护三个功能模块组成,是一个web应用或者客户端应用。门禁系统管理员通过准入规则维护功能设定修改门禁系统的准入规则(例如宵禁、对特定身份人员的出入实施时段管控等);通过人员维护录入可以通过门禁的人员名单(单位内部人员、访客登记等);通过令牌维护功能为人员申请和注销令牌。The access control management terminal consists of three functional modules: access rule maintenance, token maintenance and personnel maintenance, and is a web application or client application. The administrator of the access control system sets and modifies the access rules of the access control system through the access rule maintenance function (such as curfew, time period control for the entry and exit of persons with specific identities, etc.); through the personnel maintenance, enters the list of personnel who can pass the access control (personnel within the unit, visitor registration, etc.); through the token maintenance function, apply for and cancel tokens for personnel.

门禁核心系统由准入控制、令牌管理、人员管理和过滤器维护四个服务组成,是一个或多个后端服务应用。准入控制服务用于维护准入规则,并根据准入规则对人员进行身份验证,向门禁终端控制器发送放行或拒绝放行信号;令牌管理服务用于为人员申请令牌或注销令牌,已经令牌的有效期维护等;人员管理服务用于维护门禁系统的人员信息;过滤器维护服务用于生成令牌后向过滤器装入令牌信息或定期重置过滤器。The access control core system consists of four services: admission control, token management, personnel management and filter maintenance, which are one or more back-end service applications. The access control service is used to maintain access rules, authenticate personnel according to the access rules, and send a release or deny release signal to the access control terminal controller; token management service is used to apply for tokens or cancel tokens for personnel, and maintain the validity period of tokens; personnel management services are used to maintain personnel information in the access control system; filter maintenance services are used to load token information into filters after generating tokens or reset filters periodically.

数据库用于保存准入规则、人员令牌和人员信息。The database is used to save access rules, personnel tokens and personnel information.

2、准入规则维护2. Maintenance of access rules

如图3所示,门禁系统管理员通过门禁管理端的准入规则维护功能设定准入规则,门禁管理端调用准入控制服务将设定的准入规则信息更新到数据库。活动图如图4所示。As shown in Figure 3, the administrator of the access control system sets access rules through the access rule maintenance function of the access control management terminal, and the access control management terminal calls the access control service to update the set access rule information to the database. The activity diagram is shown in Figure 4.

3、人员维护3. Personnel maintenance

如图5所示门禁系统管理员通过线下汇总人员信息,并使用门禁管理端的人员维护功能录入和更新人员信息,门禁管理端调用门禁核心系统的人员管理服务更新数据库中的人员信息。活动图如图4所示。As shown in Figure 5, the access control system administrator summarizes personnel information offline, and uses the personnel maintenance function of the access control management terminal to enter and update personnel information, and the access control management terminal calls the personnel management service of the access control core system to update the personnel information in the database. The activity diagram is shown in Figure 4.

4、令牌维护4. Token Maintenance

如图7所示,门禁系统管理员收到请求通过门禁系统人员的线下申请后,通过门禁管理端的令牌维护功能为通过审核的人员申请令牌,令牌维护功能调用门禁核心系统的令牌管理服务生成令牌,并存入数据库,然后更新人员信息的令牌属性,调用过滤器维护服务将令牌信息装入门禁终端的布隆过滤器,最后持久化更新令牌信息后的人员信息到数据库,活动流程如图8所示。As shown in Figure 7, after the administrator of the access control system receives the request to pass the offline application of the access control system personnel, the token maintenance function of the access control management terminal applies for a token for the person who has passed the review. The token maintenance function calls the token management service of the access control core system to generate a token and stores it in the database. Then, the token attribute of the personnel information is updated, and the filter maintenance service is called to load the token information into the Bloom filter of the access control terminal. Finally, the personnel information after updating the token information is persisted to the database. The activity flow is shown in Figure 8.

当人员不再需要通过门禁系统时(人员离职或迁移),管理员通过门禁管理端的令牌维护功能将令牌作注销处理,令牌维护功能调用门禁核心系统的令牌管理服务更新令牌信息为失效,并保存令牌信息到数据库,活动流程如图9所示。When personnel no longer need to pass through the access control system (personnel resignation or migration), the administrator will cancel the token through the token maintenance function of the access control management terminal. The token maintenance function calls the token management service of the access control core system to update the token information as invalid, and save the token information to the database. The activity flow is shown in Figure 9.

5、过滤器维护5. Filter maintenance

如图10所示,当门禁系统管理员申请令牌后,门禁核心系统的令牌管理服务调用过滤器维护服务将令牌信息加入布隆过滤器,活动流程如图11所示;当门禁系统管理员注销令牌或令牌到期后,布隆过滤器不会立即更新令牌信息,需要通过夜间定时任务清空布隆过滤器后,重新将令牌装入过滤器,清空活动流程如图12所示。As shown in Figure 10, when the access control system administrator applies for a token, the token management service of the access control core system calls the filter maintenance service to add the token information to the Bloom filter, and the activity process is shown in Figure 11; when the access control system administrator cancels the token or the token expires, the Bloom filter will not update the token information immediately, and the Bloom filter needs to be cleared through the nightly scheduled task, and then the token is reloaded into the filter, and the clearing activity process is shown in Figure 12.

6、准入控制6. Access control

如图13所示,当人员申请通过门禁时,先通过门禁终端的识别器进行令牌认证(刷脸、刷指纹、打卡),识别器获取令牌信息后先将其传送给布隆过滤器进行对比验证。如果布隆过滤器判定该令牌不存在,则门禁控制器提示人员未授权,拒绝人员通过。如果布隆过滤器判定该令牌可能存在,则识别器将令牌信息发送到门禁核心系统的准入控制服务,并申请准入。As shown in Figure 13, when a person applies for access control, the token authentication (swiping face, swiping fingerprint, punching card) is first performed through the identifier of the access control terminal. After the identifier obtains the token information, it first transmits it to the Bloom filter for comparison and verification. If the Bloom filter determines that the token does not exist, the access control controller prompts that the person is not authorized and refuses the person to pass through. If the Bloom filter determines that the token may exist, the recognizer sends the token information to the admission control service of the access control core system and applies for admission.

准入控制服务收到识别器的准入请求后,通过令牌管理查询该令牌是否存在(且未过期),如果令牌不存在(或已过期),则门禁控制器提示人员令牌不存在(或已过期),拒绝人员通过。After the admission control service receives the admission request from the identifier, it will query whether the token exists (and has not expired) through token management. If the token does not exist (or has expired), the access control controller will prompt the personnel that the token does not exist (or has expired), and refuse the personnel to pass.

如果令牌验证有效,则准入控制服务调用令牌管理服务通过令牌查询人员信息,调用准入控制服务查询准入规则,判定人员类型和当前时间是否满足准入规则,如满足规则准入控制器向门禁终端控制器返回准入指令,门禁控制器开门并提示欢迎信息,否则门禁控制器提示用户权限不足,拒绝人员进入。If the token verification is valid, the access control service calls the token management service to query personnel information through the token, calls the access control service to query the access rules, and determines whether the type of person and the current time meet the access rules. If the rules are met, the access controller returns an access command to the access control terminal controller, and the access control controller opens the door and prompts welcome information. Otherwise, the access control controller prompts that the user has insufficient authority and refuses entry.

该门禁系统除独立作为门禁控制系统外,还可以通过扩展外部接口,配合公司考勤系统进行考勤统计和社区物业系统进行物业管理。In addition to being an independent access control system, the access control system can also cooperate with the company's attendance system for attendance statistics and community property system for property management by expanding the external interface.

如图15所示,本系统可以用于公司门禁,在此场景下,可以扩展考勤管理接口,调用公司考勤系统的考勤登记服务对人员考勤和活动进行管理监控。As shown in Figure 15, this system can be used for company access control. In this scenario, the attendance management interface can be extended to call the attendance registration service of the company's attendance system to manage and monitor personnel attendance and activities.

如图16所示,本系统可以用于社区门禁,在此场景下,可以扩展一个物业缴费查询接口,通过查询物业缴费信息对门禁令牌进行时限控制。As shown in Figure 16, this system can be used for community access control. In this scenario, a property payment query interface can be expanded to control the time limit of the access control token by querying the property payment information.

本系统通过引入布隆过滤器,极大地提升了系统的抗干扰能力,与传统门禁系统相比,可以过滤掉大部分干扰信号(如IC卡误读、人脸误刷或指纹误触),减轻数据库查询负担,尤其适合企事业单位上下班时短时间大量请求访问的场景,提高了识别效率,降低人员通行时间,节省了企事业单位的管理成本。By introducing the Bloom filter, this system greatly improves the anti-interference ability of the system. Compared with the traditional access control system, it can filter out most of the interference signals (such as IC card misreading, face mis-swiping, or fingerprint mis-touching) and reduce the burden of database query.

以上所述仅为本发明的较佳实施例,仅用于说明本发明的技术方案,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所做的任何修改、等同替换、改进等,均包含在本发明的保护范围内。The above descriptions are only preferred embodiments of the present invention, and are only used to illustrate the technical solution of the present invention, and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.

Claims (1)

1. An access control system based on a bloom filter is characterized in that,
the system consists of an access control terminal, an access control management terminal, an access control core system and a database;
the access control terminal consists of an identifier, a bloom filter and an access control controller; wherein the method comprises the steps of
The identifier is used for identifying identity information of the person requesting to pass through the entrance guard;
the bloom filter is used for verifying whether personnel identity information does not exist or not and intercepting invalid requests;
the controller is used for controlling the opening and closing of the door and feeding back an identity verification result to the personnel;
the access control management end consists of three functional modules, namely access rule maintenance, token maintenance and personnel maintenance; wherein the method comprises the steps of
Setting and modifying the access rule of the access control system through an access rule maintenance function;
a personnel list which can pass through the entrance guard is maintained and input by personnel;
applying for and logging out tokens by the personnel through a token maintenance function;
the access control core system consists of four services, namely access control, token management, personnel management and filter maintenance; wherein the method comprises the steps of
The access control service is used for maintaining access rules, carrying out identity verification on personnel according to the access rules, and sending a release or release rejection signal to the access control terminal controller;
the token management service is used for applying for the token or logging out the token for personnel, and the validity period of the token is maintained;
the personnel management service is used for maintaining personnel information of the access control system;
the filter maintenance service is used for loading token information into the filter or periodically resetting the filter after generating the token;
the database is used for storing admission rules, personnel tokens and personnel information;
the identity information of the access control personnel comprises face recognition, fingerprint recognition or NFC card reading recognition;
if the identification is face recognition, the function of the identifier is to extract feature codes from face information, and if the identification is NFC card reading identification, the identification is card ID information;
setting an admission rule through an admission rule maintenance function of the access control terminal, and calling an admission control service by the access control terminal to update the set admission rule information to a database;
the personnel information is summarized offline, and the personnel information is input and updated by using the personnel maintenance function of the access control management end, and the access control management end invokes the personnel management service of the access control core system to update the personnel information in the database;
after receiving an off-line application of a request passing through an access control system personnel, an access control system administrator applies a token for the personnel passing through the audit through a token maintenance function of an access control management end, the token maintenance function calls a token management service of an access control core system to generate a token and stores the token into a database, then updates the token attribute of personnel information, calls a filter maintenance service to load the token information into a bloom filter of an access control terminal, and finally persists the personnel information after updating the token information to the database;
when personnel no longer need to pass through the access control system, an access control system manager carries out cancellation processing on the token through a token maintenance function of an access control management end, the token maintenance function calls a token management service of an access control core system to update token information to be invalid, and the token information is stored in a database;
when an access control system manager applies for a token, the token management service of the access control core system calls a filter maintenance service to add token information into the bloom filter, when the access control system manager logs out the token or the token expires, the bloom filter cannot update the token information immediately, and after the bloom filter is emptied through a night timing task, the token is loaded into the filter again;
when a person applies to pass through the access control, token authentication is performed through an identifier of the access control terminal, and the identifier obtains token information and then transmits the token information to a bloom filter for comparison and verification;
if the bloom filter judges that the token does not exist, the access controller prompts personnel to be unauthorized and refuses the personnel to pass through;
if the bloom filter judges that the token is possible to exist, the identifier sends token information to an access control service of the access control core system and applies for access;
after receiving the admission request of the identifier, the admission control service inquires whether the token exists and is not expired through token management, and if the token does not exist or is expired, the access controller prompts personnel that the token does not exist or is expired, and the personnel is refused to pass;
if the token is verified to be effective, the access control service calls the token management service to inquire personnel information through the token, calls the access control service to inquire the access rule, judges whether the personnel type and the current time meet the access rule, if so, the access controller returns an access instruction to the access terminal controller, the access controller opens the door and prompts welcome information, otherwise, the access controller prompts that the user permission is insufficient, and the personnel is refused to enter.
CN202011393624.6A 2020-12-03 2020-12-03 An Access Control System Based on Bloom Filter Active CN112562151B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011393624.6A CN112562151B (en) 2020-12-03 2020-12-03 An Access Control System Based on Bloom Filter

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011393624.6A CN112562151B (en) 2020-12-03 2020-12-03 An Access Control System Based on Bloom Filter

Publications (2)

Publication Number Publication Date
CN112562151A CN112562151A (en) 2021-03-26
CN112562151B true CN112562151B (en) 2023-07-21

Family

ID=75047301

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011393624.6A Active CN112562151B (en) 2020-12-03 2020-12-03 An Access Control System Based on Bloom Filter

Country Status (1)

Country Link
CN (1) CN112562151B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113903444A (en) * 2021-12-02 2022-01-07 白杨智慧医疗信息科技(北京)有限公司 Access method and device for operating room and server
CN114780769B (en) * 2022-06-13 2022-09-13 杭州合众数据技术有限公司 Personnel checking method based on bloom filter
US12192205B2 (en) 2022-06-24 2025-01-07 Microsoft Technology Licensing, Llc Utilizing probability data structures to improve access control of documents across geographic regions
CN116094748A (en) * 2022-11-23 2023-05-09 紫光云技术有限公司 A Message Signature Verification and Interception System Based on Bloom Filter

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN206557866U (en) * 2016-08-31 2017-10-13 北京厚文知识产权顾问有限公司 A kind of gate control system based on GPS location
WO2019060000A1 (en) * 2017-09-25 2019-03-28 Microsoft Technology Licensing, Llc System of mobile notification delivery utilizing bloom filters
US10650003B1 (en) * 2016-03-31 2020-05-12 Amazon Technologies, Inc. Expiration of elements associated with a probabilistic data structure

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9256720B2 (en) * 2011-05-18 2016-02-09 Nextgenid, Inc. Enrollment kiosk including biometric enrollment and verification, face recognition and fingerprint matching systems
WO2013144423A1 (en) * 2012-03-30 2013-10-03 Nokia Corporation Identity based ticketing
US9712513B2 (en) * 2015-10-05 2017-07-18 Kony, Inc. Identity management over multiple identity providers
CN106205025A (en) * 2016-09-27 2016-12-07 北海益生源农贸有限责任公司 A kind of intelligent security protection management system
CN206388255U (en) * 2016-11-30 2017-08-08 北京铁路信号有限公司 A kind of gate control system
CN107657706A (en) * 2017-10-27 2018-02-02 佛山科学技术学院 An access control system and joint recognition method based on RFID and face recognition
CN109614407A (en) * 2018-12-10 2019-04-12 北京奇艺世纪科技有限公司 A kind of request processing method and equipment
US10988115B2 (en) * 2019-02-11 2021-04-27 Ford Global Technologies, Llc Systems and methods for providing vehicle access using biometric data
CN110718010A (en) * 2019-10-08 2020-01-21 八兔软件科技(上海)有限公司 Property access control system
CN110827458A (en) * 2019-12-20 2020-02-21 江苏瑞孚特物联网科技有限公司 Hospital visiting management system and method based on face recognition
CN111654665A (en) * 2020-05-15 2020-09-11 合肥极光科技股份有限公司 Intelligent tail money cabinet monitoring system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10650003B1 (en) * 2016-03-31 2020-05-12 Amazon Technologies, Inc. Expiration of elements associated with a probabilistic data structure
CN206557866U (en) * 2016-08-31 2017-10-13 北京厚文知识产权顾问有限公司 A kind of gate control system based on GPS location
WO2019060000A1 (en) * 2017-09-25 2019-03-28 Microsoft Technology Licensing, Llc System of mobile notification delivery utilizing bloom filters

Also Published As

Publication number Publication date
CN112562151A (en) 2021-03-26

Similar Documents

Publication Publication Date Title
CN112562151B (en) An Access Control System Based on Bloom Filter
US7464858B2 (en) Systems and methods for controlling access within a system of networked and non-networked processor-based systems
US7809951B2 (en) System and method for automated border-crossing checks
US6747564B1 (en) Security guarantee method and system
CN109767534B (en) Access control access method, system, management terminal and access control terminal based on block chain
US20080290988A1 (en) Systems and methods for controlling access within a system of networked and non-networked processor-based systems
US10243740B2 (en) Multi-use long string authentication keys
CN108932776A (en) A kind of two dimensional code access control system and operation method based on face characteristic value
US20120098638A1 (en) Systems and methods of operating a secured facility
JP2010287124A (en) Biometric matching system and biometric matching method
CN120338736A (en) A human resource management method and system based on data security
CN120017424B (en) A method and system for secure access to encrypted enterprise network data
CN108898705A (en) A kind of Household access control system and its authorization method shared with permission
CN116389145A (en) Dynamic access control method based on multi-factor authentication combined with multi-dimensional authorization model
CN101036339B (en) Disseminating additional data used for controlling access
CN107886601A (en) A kind of office door access control system and its open method
CN116982332A (en) Method, processor device, motor vehicle and infrastructure device for authorizing a first participant in a communication network
CN110766850A (en) Visitor information management method, access control system, server and storage medium
CN114360129A (en) Access control management method, system and equipment, and storage medium
CN120656261A (en) Access control management system and method based on remote APP control management
US20120068814A1 (en) Systems and methods of operating a secured facility
CN107700962A (en) A kind of safe and intelligent door-locking system and its control method
CN115601870A (en) Access control method, system and storage medium
RU2825278C1 (en) Method of controlling and managing access
CN110335373A (en) Intelligent door lock and intelligent access control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant