WO2004025893A1 - Software architecture system for a security management system - Google Patents

Software architecture system for a security management system Download PDF

Info

Publication number
WO2004025893A1
WO2004025893A1 PCT/US2003/027556 US0327556W WO2004025893A1 WO 2004025893 A1 WO2004025893 A1 WO 2004025893A1 US 0327556 W US0327556 W US 0327556W WO 2004025893 A1 WO2004025893 A1 WO 2004025893A1
Authority
WO
WIPO (PCT)
Prior art keywords
security information
security
client
information server
program
Prior art date
Application number
PCT/US2003/027556
Other languages
French (fr)
Inventor
Frank S. Muraske
Original Assignee
Sigcom, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sigcom, Inc. filed Critical Sigcom, Inc.
Priority to AU2003268402A priority Critical patent/AU2003268402A1/en
Publication of WO2004025893A1 publication Critical patent/WO2004025893A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2135Metering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates generally to physical security management systems. More particularly, the invention relates to a software architecture system for such security management systems and an implementation of the architecture.
  • the architecture includes a security information client framework and a security information server framework.
  • the security information client f amework is for developing a security information client program, and includes a container program for one or more software components, each of which runs in the container program.
  • the client framework also includes one or more software components for providing a user interface to the security information client program, at least one software component for providing communication to and from a security information server program, and at least one software component for providing a virtual connection between the security information client program and a security device.
  • the architecture also includes a security information server framework for creating a plurality of security information server programs.
  • the security information server framework includes a security device manager for determining whether a particular security information client program is authorized to access a particular security information device and whether a particular user is authorized to access a particular security device.
  • the server framework also includes a network scanner for identifying security devices that are present on the network and for handling events received from a security device
  • Another component of the server framework is a messaging queue, which includes a broadcast queue, one or more service management queues and one or more service specific queues.
  • the broadcast queue sends and receives messages to and from each of the plurality of security information server programs, and the messages include information as the availability of each security information server program.
  • Specific security mformation services are provided via one of the security information service specific queues.
  • Each security information server program requests a security information service specific queue via one of the service management queues.
  • the server framework also includes at least one software component for providing communication from and to a security mformation server program.
  • the system includes a plurality of IP networked security devices, a security information server and a security information client.
  • Each security device includes a processor, a memory and a network adapter.
  • a security information server is in electronic communication with each of the security devices via the IP network.
  • the security information server includes a processor and a memory, and processing logic is stored in the memory for controlling each of the security devices responsive to a request for a security information service or an occurrence of a security event.
  • the security information client is in electronic communication with the security information server via the IP network.
  • the client includes a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client and for sending a request for a security information service to the security information server and for receiving a security information service from the security information server in response to the request or the occurrence of a security event.
  • more than one security device can be controlled simultaneously by the user via the user interface.
  • the security device can be an IP video camera for transmitting a video signal to the security information server.
  • the video signal received by the security information server is transmitted to the security information client, and is displayed on the security information client via the user interface.
  • a user can control the IP video camera via the user interface.
  • the system can also include a 3-dimensional pointing device that electronically communicates with the security information client, allowing for user control of the video camera via the 3-dimensional pointing device.
  • the 3-dimensional pointing device interfaces with the security information client via a DirectX driver.
  • the system can also include a digital video recorder that receives video signals from the video camera via the security information server, stores the video signals, and serves the stored video signals to the security information client via the security information server.
  • a digital video recorder that receives video signals from the video camera via the security information server, stores the video signals, and serves the stored video signals to the security information client via the security information server.
  • the security devices of the system can include access control devices, such as electronic locks, alarms, intrusion detection devices, lighting devices and audio communication devices, such as intercoms.
  • access control devices such as electronic locks, alarms, intrusion detection devices, lighting devices and audio communication devices, such as intercoms.
  • a programmable logic controller can be interposed between the security information server and the security device.
  • the security information server can include logic for determining whether a user is authorized to access a security information client, whether a user is authorized to control a particular security device or the number of security devices that a user can control at the same time.
  • the number of security devices that a user can control at the same time is determined on the basis of the physical limitations of the network, such as, bandwidth.
  • the security information client can include a container for a software component, such as an ActiveX control or a JavaBean.
  • the container can be a web browser, a Nisual C program, a Nisual C++ program, a Nisual C# program, a Nisual Basic program, a Java program and an InTouch program.
  • Exemplary functions of the software component are video monitor control, input device control and audio device control.
  • An alternate embodiment of the invention is directed to a computer based system for providing security information services via a plurality of security information servers.
  • the system includes a plurality of IP networked security devices, a plurality of security information servers and a security information client.
  • Each of the plurality of the security information servers includes a processor and a memory, is logically associated with one or more security devices, and is in electronic communication via an IP network with each of the associated security devices.
  • Processing logic is stored in memory for controlling each of the associated security devices responsive to a request for a security information service or the occurrence of a security event.
  • Information as to the state of each security information device is also stored in the memory of the security information server logically associated with the device.
  • Each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers.
  • the security information client is in electronic communication with each of the security information servers via the IP network.
  • the client includes a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client, for sending a request for a security information service to one or more of the security information servers, and for receiving a security information service from one or more of the security information servers in response to the request or the occurrence of a security event.
  • Another alternate embodiment of the invention is directed to a computer based system for providing security information services via a plurality of security information servers and a plurality of security information clients.
  • the system includes a plurality of of IP networked security devices, a plurality of security information servers and a plurality of security information clients.
  • Each of the plurality of the security information servers includes a processor and a memory, is logically associated with one or more security devices, and is in electronic communication via an IP network with each of the associated security devices.
  • Processing logic is stored in memory for controlling each of the associated security devices responsive to a request for a security information service or the occurrence of a security event.
  • Information as to the state of each security information device is also stored in the memory of the security information server logically associated with the device.
  • Each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers.
  • Each of the plurality of security information clients is in electronic communication with at least one of the security information servers via an IP network.
  • Each security information client is comprised of a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client, for sending a request for a security information service to at least one of the security information server, and for receiving a security information service from at least one security information server in response to the request or the occurrence of a security event.
  • User priority information can be stored in the memory of the security information server, and the processing logic of the security information server includes logic that uses the user priority information for determining which user has priority to a particular security device when more than one user attempts to control simultaneously the device.
  • FIG. 1 is a block diagram of the software architecture system of the present invention
  • Figure 2 is high level diagram of an exemplary physical security management system based on the software architecture system of the present invention
  • Figure 3 is a diagram of the physical components of an exemplary physical security management system
  • Figure 4 is a data flow diagram and schematic for the security information client of the present invention
  • Figure 5 is a data flow diagram and schematic for the security information server of the present invention.
  • Figure 6 is a flow diagram illustrating one method for a user to request and receive access to security devices.
  • An embodiment of the present invention is directed to a software architecture system for providing security information services over a packet switched network, such as a network using the Internet Protocol ("IP").
  • IP Internet Protocol
  • security information services I mean the information that is electronically communicated between a computerized physical security information management system and the physical security devices.
  • the physical security devices include devices that provide surveillance, access control, alarms, intrusion detection, perimeter security, lighting, locks and key control for a secure facility, such as a prison.
  • Another embodiment of the system is an implementation of the software architecture system to provide security information services over a packet switched network.
  • Software Architecture 10 is an implementation of the software architecture system to provide security information services over a packet switched network.
  • the software architecture 10 of the present invention is graphically illustrated on a block diagram.
  • the software architecture 10 is based on a component object model ("COM"), which is a framework for developing and supporting software component objects.
  • COM component object model
  • software component I mean a reusable program building block that can be combined with other components in the same or other computers in a distributed network to form an application.
  • components can be deployed on different servers in a network and communicate with each other for needed services.
  • a component runs within a context called a "container.”
  • tainer I mean an application program or subsystem in which the component is run.
  • the software architecture 10 includes a security information client framework 12 and a security information server framework 14, each of which will be described in enabling detail below.
  • the security information client framework 12 provides a structure for developing a security mformation client program.
  • the security information client framework 12 includes a container 16, in which software objects are run.
  • the container 16 is used to provide a user interface 18, one or more virtual connections 20 with the security devices of the security system and a security information server link 24.
  • the container could be, for examples, a page on a Web site, a Web browser, a word processor, a Visual C program, a Nisual C++ program, a Visual C# program, a Visual Basic program, or a Java program.
  • the user interface 18 can be constructed using, for example, the Microsoft Foundation Class ("MFC") library, which is available from Microsoft Corporation of Redmond, Washington.
  • MFC Microsoft Foundation Class
  • the MFC library includes classes for all graphical user interface elements, such as windows, frames, menus, tool bars, status bars, etc.
  • the security information client framework 12 also includes one or more software components for creating a virtual connection 20 between a security information client program and a security device 22.
  • virtual connection I mean that the communication between the security information client program and the security device occurs over a packet switched network.
  • the security information client framework 12 also includes a security information server link 24, which is a software component that facilitates all communications between a security information client program and one or more a security information server programs.
  • the security information server framework 14 is a structure for developing a plurality of security information server programs.
  • the security mformation server framework 14 includes a network scanner 26, a device manager 28, a messaging queue 30 and a security information client link 38, each of which is discussed in enabling detail below.
  • the network scanner 26 provides the functions of identifying each of the security devices that are present on the network, listening for and handling events that are generated by any of the security devices present on the system, and providing services to reprogram security devices.
  • Present on the network I mean that a particular security device has an IP address and can send and receive data packets via the IP address.
  • legacy security devices that are not IP addressable communicate with the security information via a device with an IP address that is interposed between the legacy security device and the server.
  • event I mean, an action or occurrence detected by a security information server program.
  • the device manager 28 determines whether a particular security information client program is authorized to access a particular security information device and whether a particular user is authorized to access a particular security device.
  • the messaging queue 30 allows all of the software components of the architecture to communicate with each other.
  • the messaging queue 30 is the mechanism through which a security information client program and a security information server program request network resources, such as, a security device.
  • the message queue is a method by which process (or program instances) can exchange or pass data using an interface to a system-managed queue of messages. Messages can vary in length and be assigned different types or usages.
  • a message queue can be created by one process and used by multiple processes that read and/or write messages to the queue.
  • a security information server process can read and write messages from and to a message queue created for security information client processes.
  • the message type can be used to associate a message with a particular client process even though all messages are on the same queue.
  • the message queue is managed by the operating system (or kernel).
  • Application programs or their processes create message queues and send and receive messages using an application program interface (API).
  • API application program interface
  • the message queue 30 is comprised of a broadcast queue 32, one or more service management queues 34 and one or more service specific queues 36, each of which will be discussed in enabling detail below.
  • the broadcast queue 32 is used to send and receive "wake up" messages from a security information server or client program.
  • wake up message I mean the mechanism by which a security information server program advises other security information server programs that it is present on the network and available to send and receive messages.
  • each security information server program sends a data packet to the broadcast queue so that each security information server program is aware of the other security information server programs that are available.
  • the data packet preferably includes the IP address of the computer upon which the security information server program is running, and permits a queue manager to establish or reconnect to queues specific to a security information server program.
  • the service management queue 34 is used by security information server and client programs to establish a specific service queue and to notify other security information server programs of problems with queues specific to a particular security information server program.
  • the service management queue 34 is analogous to the "D- channel" of an Integrated Services Digital Network ("ISDN").
  • a service specific queue 36 is used by each security information server or client program to perform system services, including security information services.
  • Each security information specific queue 36 belongs to a queue pool, which in turn is connected to a dedicated network socket. This architecture advantageously allows for extensibility of the security system and ensures because there will be sufficient resources available to manage the system.
  • the system also includes a database, such as a SQL server, which is used to log events that occur within the system and to store system information necessary to provide specific security information services.
  • the message queues electronically communicate with the SQL server in order to perform the requested service. For example, the information needed to communicate with a specific camera, such as its IP address, is not stored by the security information client. The client need only know the system name and the IP address is obtained from the database and returned to the service specific queue.
  • the security information server framework 14 also includes a security information client link 38, which is a remotable class that facilitates all communications between a security information client program and one or more security information server programs.
  • the computerized physical security management system comprises at least one security information client 120 that provides a user interface to the security system.
  • At least one, and preferably multiple servers 140, refe ⁇ ed herein as security information servers, are in electronic communication with one or more of the clients 120. These servers 140 are also in electronic communication with one another for distributing information about the "state" of the security devices associated with the system, as described in greater detail below.
  • Each security information server 140 in the system 100 is logically associated with, and therefore, has control over, a selected group of security devices 150, 160, 170, and 180.
  • the group of security devices with which a server 140 is associated is sometimes referred to as a "domain.”
  • the security devices may include, but are not limited to fixed cameras, pan-tilt-zoom ("PTZ") cameras, access control devices, alarms, intrusion detection devices, perimeter security devices, lighting devices, locks, key control devices and intercoms.
  • Security devices may include a processor and a memory. Instructions for controlling the security device are stored in the memory and are executed by the processor.
  • Security devices also have network adapters, which provide a physical interface to the network to which the security devices are connected, such as an IP network. Alternatively, programmable logic controllers may be interposed between a server 140 and the security devices.
  • Figure 3 is a diagram of the physical components of an exemplary physical security management system 100 of the present invention. More specifically, the physical components of the security information client 120 is shown in greater detail. While the system 100 requires only one client 120, the present system 100 is extensible to accommodate an unlimited number of clients via the Ethernet connection to the system.
  • the client 120 is a desktop or laptop computer 122 with a processor and a
  • the processor is at least a Pentium IN® processor, which is available
  • At least one monitor or display 126 is in electronic communication with the computer 122, but as many as four monitors 126 may be connected, so that the user has expanded access and viewing capability. For example, multiple monitors 126 will permit the user to access multiple security devices simultaneously.
  • User interface at the workstation 120 may include a conventional keyboard 123, a conventional pointing device 125, such as a mouse, or a three-dimensional pointing device 127.
  • a three-dimensional pointing device 127 such as a SpaceMouse XT, available from 3Dconnexion of Silicon Valley, California, enables the user to provide input without the need for a keyboard 123 or other pointing device 125.
  • the SpaceMouse XT pointing device 127 is connected to the computer 122 via a universal serial bus (USB) interface that is driven by a DirectX driver. As used with the SpaceMouse XT joystick, the user is able to manipulate a PTZ camera in three dimensions.
  • USB universal serial bus
  • the security information server 140 comprises a computer 141 for running the software that controls and/or provides access to the security devices 150 through 180, and
  • the computer 141 desirably contains a Pentium IV® or equivalent processor. While not required, a monitor 142 and keyboard 143 may be provided so that system administrators can perform routine maintenance, backup, etc.
  • Electronically connected to at least one computer 141 is a redundant array of inexpensive disks (RAID) 144.
  • RAID provides a data storage method in which data is distributed across a group of computer disk drives that function as a single storage unit. In the present implementation, all of the system information is stored on each of the disks in the array so that no data is lost if one of the disks fails.
  • the RAID stores video images that have been captured and saved, in JPEG or MPEG formats, for example.
  • a suitable RAID is comprised of an Escalade 7500 Series ATA RAID controller card, one to four Escalade RDC-300 drive carrier cages, each of which can accommodate three hard drives, and one to twelve 160GB ATA 133 IDE hard drives, which are available from 3Ware, Inc. of Mountain View, California.
  • a network video recorder server 145 is provided for recording digitized video images.
  • One suitable network video recorder server 145 is Model 6022P-6, which is available from SuperMicro Computer, Inc. of San Jose, California.
  • Each security information server 140 is logically associated with and controls a selected group of security devices 150, 160, 170, and 180. That is, each of the security devices is in electronic communication with only one server 140. While there is no established minimum number of devices within the domain of a server 140, it has been found that associating no more than 48 video and/or audio devices, such as cameras, per server 140 is optimal.
  • Functions performed by the security information server include determining whether a particular security information client is authorized to access a particular security device and determining whether a particular user is authorized to access a particular device.
  • User priority information can be stored in the memory of the security information server, and the security information server includes processing logic that uses the user priority information for determining which user has priority to a particular security device when more than one user attempts to control a particular security device at the same time.
  • server 140 controls a plurality of fixedly mounted IP addressable cameras 170, IP addressable pan-tilt-zoom (PTZ) cameras 180, intercom stations 150, and electronic door locks 160.
  • IP addressable cameras 170 suitable for the present implementation include digital IP cameras available from Indigo Vision Group, pic of Edinburgh, United Kingdom, as Model No. VP603W53-NTSC.
  • IP addressable PTZ cameras 180 are available from Ultrak, Inc. of Lewisville, Texas as Model No. KD6. The signals for these devices will either have built-in network video cards or must route their signals through a network interface device, such as a VB6004 available from Indigo Vision, or a network card within the server computer.
  • a video server 182 may be provided with the PTZ camera 180 to digitize the analog signal from the camera.
  • the video server used in the present implementation is available from Indigo Vision as Model VB6004.
  • the security information clients 120, security information servers 140, and security devices 150, 160, 170, and 180 are interconnected by a system of coaxial cable, fiberoptic cable, or twisted-pair wiring as is conventional for Ethernet installations.
  • the plurality of security devices 150, 160, 170, and 180 are directly interconnected to a first network switch 135.
  • Dual fiber uplinks 135a, 135b from the first network switch 135 are then interconnected to redundant second network switches 137, 138.
  • the redundancy of the second network switches provides an added level of reliability against the failure of one of the switches 137, 138.
  • Switches 137, 138 provide dual feeds to computer 141 at the security information server 140.
  • Switches 137, 138 also enable electronic communication between the plurality of security information servers 140. Dual uplinks 137a, 138a from switches 137, 138 provide interconnection to a third network switch 139 which is electronically connected to one or more security information client computers 122. As those skilled in the art will appreciate, the plurality of network switches 135, 137, 138, and 139 permit the system 100 to be configured in either a ring or star topology, and desirably both.
  • FIG. 4 A simplified functional block diagram for the security information client 120 user interface is shown in Figure 4.
  • the user interface to the security information client 120 is comprised of software components, such as ActiveX controls, that run in a container 410.
  • the container is an application program developed in Visual C. ActiveX is preferred because it provides a set of technologies that enable software components, such as VideoBridge for Indigo Vision IP addressable cameras, to interact with one another in the network environment, regardless of the language in which the components were created.
  • other containers can be used, such as a web browser, a Visual C++ program, a Visual C# program, a Visual Basic program, a Java program or an InTouch program. InTouch is a human machine interface program available from the Wonderware division of Ivensys, pic of London, England.
  • Embedded as ActiveX controls in the container 410 are logic equations 420 that govern the client's interaction with the system 100.
  • a family of ActiveX controls shown in Figure 4 as 441 through 445, have been developed to control the client's interaction with the security devices based upon the protocol of each type of device.
  • An input control 442 provides interaction between an input device, such as a three-dimensional pointing device 127, and the client.
  • a sound control 441 facilitates communications between the client and an audio device, such an intercom.
  • a monitor control 443, 444, 445 facilitates communication between the client and a video device, such as an IP camera.
  • a client may run up to 16 soft monitors, which would permit the simultaneous display of images from 16 video cameras on client monitor 126. Where multiple monitors 126 are connected to the client computer 122, multiple devices may be accessed and displayed.
  • FIG 5 a functional block diagram of the security information server 140 is shown.
  • the operating environment for the server 140 is based on the Microsoft .NET platform.
  • Network access functionality 520 comprises the communications link 522 with each of the security information clients 120 and the other security information servers 140.
  • each server computer 141 communicates back to the client information as to the devices that are available and that the user is authorized to access.
  • each security information server 140 is programmed with general rules and logic concerning the devices under its control, as well as rules determining whether a particular user is authorized to access a particular device. For example, where the security devices comprise locked doors A and B, the logic may not permit door B to be unlocked if door A is already unlocked.
  • Remote classes 524 provide background functionality for the security information server 140. These routines handle, for example, abstraction, determine the status of devices, and activate preprogrammed tasks, such as interlock enables, door hold opens, function forces, and camera presets.
  • a SQL server database 526 stores device configuration data, maintains a log of events, and provides requested reports.
  • Microsoft Message Queue 528 also runs on the server computer 141 to handle routine messages such as routine reports, software updates, etc. Routine messages do not include requests for access to security devices, which must be handled expeditiously.
  • a device scan and administrative function 529 is a set of routines that permit a system administrator to add or delete devices accessible via the security information server 140.
  • a device interface routine 525 is provided by the server for a particular device. If, however, a client "leases" a particular device from the server, the server may relinquish control of certain functions of the leased device to the client. By “lease,” I mean that the client has exclusive control over the device and the device is no longer available to any other client. Certain devices that cannot be accessed by more than one client at the same time, such as intercoms and door locks, must be leased exclusively to one client.
  • network video recorder software 510 provides the video recording and playback function.
  • a user can access 610 the system 100 via a security information client computer 122.
  • user access is granted based upon entry of a user identification and password.
  • the operating system software transmits a broadcast message to each of the security information servers 140 in the system that the particular user is logged on.
  • the security information client 120 requests from each server 140 the status of security available devices.
  • Each server then communicates 620 back to the client 120 the devices that are available and the devices the user is authorized to access.
  • Each user's access to security devices may be customized for the user depending upon the user's position, priority, etc. For example, a particular user may have access to cameras, but may not have permission to manipulate door locks or other securing devices. Permissions are stored in memory at each of the security information servers 141.
  • a menu, or the like, on the monitor 126 displays representations of the available devices that the user is authorized to control and/or view. The user can then begin requesting 630 access to specific devices up to the user's authorized maximum. In one embodiment of the present invention, each user is limited to 32 devices at any one time.
  • each of the security information servers 141 are in electronic communication with each other, wherein, at predetermined time intervals, every minute, for example, each of the servers 141 communicates 640, or distributes information, about the state of the security devices logically associated with the server.
  • the maximum number of devices a user can access is 32, and that the user has been granted access to 14 devices from server A and 18 devices from server B.
  • the user If the user then requests access to a device from server C, the user will be denied access to the device based on information provided by servers A and B as to the number of devices to which the user currently has access. If a user has not accessed the maximum number of devices, and is authorized to access a requested device, then access will be granted 650. Responsive to the user's request, the appropriate server 141 will turn on the device and provide an appropriate acknowledgement to the user. In the case of a fixed camera 170, the server will enable a soft monitor on the user's monitor with a video image of the particular area in the facility that is monitored by the fixed camera 170. The user can have multiple soft monitors enabled on the monitor at any one time, but desirably each client will be limited to 16 soft monitor images.
  • the user will be provided a video image, and if authorized, will be allowed to manipulate the camera 180 by means of the three-dimensional pointing device. Because the user's access to a particular device is also based upon priority, the user' s access to a particular device may be terminated by the server 141 if a user with a higher priority requests the device. Additionally, in one implementation of the system of the present invention, access to a device is fixed at a predetermined time; e.g., 1 minute.

Abstract

A software architecture system for providing security information services over a packet switched network, including a security information client framework for developing a security information client program, and a security information server framework for creating multiple security information servers. The security information client framework includes a container program, one or more software components for providing a user interface, at least one software component for providing communication with a security information server program, and at least one software component for providing a virtual connection between the security information client program and a security device. The security information server framework includes a security device manager for determining whether a client program or user are authorized to access a particular security information device, a network scanner for identifying security devices that are present, a messaging queue, and at least one software component for providing communication with a security information client program.

Description

SOFTWARE ARCHITECTURE SYSTEM FOR A SECURITY
MANAGEMENT SYSTEM
FIELD OF THE INVENTION
The present invention relates generally to physical security management systems. More particularly, the invention relates to a software architecture system for such security management systems and an implementation of the architecture.
BACKGROUND OF THE INVENTION
Over the past several decades, physical security systems have evolved from manned observation stations and patrols to more technologically complex systems and devices that allow remote surveillance and access control of designated security zones, using closed circuit television, electronic door locks, and the like. This evolution has resulted in economies of scale for large security operations, reduced labor costs, and devices that continuously provide video images, for example.
As security devices and related systems have become more complex, computer- based physical security management systems that integrate various security devices have evolved and are now well known in the art. Such computerized security management systems allow for central, computerized control of security devices, such as cameras, intercoms, and electronic locks.
Recently, there have been rapid advances in computer hardware, software and communications systems used in the implementation of physical security management systems. As a result, enterprises relying on such computer-based systems must decide between expensive upgrades in hardware and software or foregoing such upgrades and creating a risk that the physical security of the monitored facility will be compromised. In addition, operators of physical security systems also require a computer-based system that can be easily customized to meet their evolving security needs. For example, expansions of the physical plant or the development of new security devices would require existing systems to be modified.
Despite these numerous advances in computer based physical security management systems, there remain shortcomings and problems associated with these systems. For example, when an existing physical security system is expanded or upgraded, the prior art computerized security management systems require extensive modifications to the underlying software applications and the computer hardware upon which such applications are run. Such modifications are time consuming and expensive. Thus, there is a need in the art for a software architecture that is extensible, open and flexible. Such extensibility would be achieved if new software applications and physical security devices could be added without requiring major modifications of the computerized physical security management system, particularly, rewriting or extensively modifying the application software for the system. Such an open and flexible physical security management system software architecture would be compatible with multiple physical security devices and be easy to upgrade and customize, allowing the physical security system to evolve and to continue to serve the various needs of the enterprise.
SUMMARY OF THE INVENTION
One embodiment of the present invention is directed to a software architecture system for providing security information services over a packet switched network. The architecture includes a security information client framework and a security information server framework. The security information client f amework is for developing a security information client program, and includes a container program for one or more software components, each of which runs in the container program. The client framework also includes one or more software components for providing a user interface to the security information client program, at least one software component for providing communication to and from a security information server program, and at least one software component for providing a virtual connection between the security information client program and a security device. The architecture also includes a security information server framework for creating a plurality of security information server programs. The security information server framework includes a security device manager for determining whether a particular security information client program is authorized to access a particular security information device and whether a particular user is authorized to access a particular security device. The server framework also includes a network scanner for identifying security devices that are present on the network and for handling events received from a security device
Another component of the server framework is a messaging queue, which includes a broadcast queue, one or more service management queues and one or more service specific queues. The broadcast queue sends and receives messages to and from each of the plurality of security information server programs, and the messages include information as the availability of each security information server program. Specific security mformation services are provided via one of the security information service specific queues. Each security information server program requests a security information service specific queue via one of the service management queues.
The server framework also includes at least one software component for providing communication from and to a security mformation server program.
Another embodiment of the invention is a computer based system for providing security information services. The system includes a plurality of IP networked security devices, a security information server and a security information client. Each security device includes a processor, a memory and a network adapter. A security information server is in electronic communication with each of the security devices via the IP network. The security information server includes a processor and a memory, and processing logic is stored in the memory for controlling each of the security devices responsive to a request for a security information service or an occurrence of a security event. The security information client is in electronic communication with the security information server via the IP network. The client includes a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client and for sending a request for a security information service to the security information server and for receiving a security information service from the security information server in response to the request or the occurrence of a security event. In addition, more than one security device can be controlled simultaneously by the user via the user interface. The security device can be an IP video camera for transmitting a video signal to the security information server. The video signal received by the security information server is transmitted to the security information client, and is displayed on the security information client via the user interface. A user can control the IP video camera via the user interface. The system can also include a 3-dimensional pointing device that electronically communicates with the security information client, allowing for user control of the video camera via the 3-dimensional pointing device. The 3-dimensional pointing device interfaces with the security information client via a DirectX driver.
The system can also include a digital video recorder that receives video signals from the video camera via the security information server, stores the video signals, and serves the stored video signals to the security information client via the security information server.
The security devices of the system can include access control devices, such as electronic locks, alarms, intrusion detection devices, lighting devices and audio communication devices, such as intercoms. A programmable logic controller can be interposed between the security information server and the security device.
The security information server can include logic for determining whether a user is authorized to access a security information client, whether a user is authorized to control a particular security device or the number of security devices that a user can control at the same time. The number of security devices that a user can control at the same time is determined on the basis of the physical limitations of the network, such as, bandwidth.
The security information client can include a container for a software component, such as an ActiveX control or a JavaBean. The container can be a web browser, a Nisual C program, a Nisual C++ program, a Nisual C# program, a Nisual Basic program, a Java program and an InTouch program. Exemplary functions of the software component are video monitor control, input device control and audio device control.
An alternate embodiment of the invention is directed to a computer based system for providing security information services via a plurality of security information servers. The system includes a plurality of IP networked security devices, a plurality of security information servers and a security information client.
Each of the plurality of the security information servers includes a processor and a memory, is logically associated with one or more security devices, and is in electronic communication via an IP network with each of the associated security devices. Processing logic is stored in memory for controlling each of the associated security devices responsive to a request for a security information service or the occurrence of a security event. Information as to the state of each security information device is also stored in the memory of the security information server logically associated with the device. Each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers.
The security information client is in electronic communication with each of the security information servers via the IP network. The client includes a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client, for sending a request for a security information service to one or more of the security information servers, and for receiving a security information service from one or more of the security information servers in response to the request or the occurrence of a security event.
Another alternate embodiment of the invention is directed to a computer based system for providing security information services via a plurality of security information servers and a plurality of security information clients. The system includes a plurality of of IP networked security devices, a plurality of security information servers and a plurality of security information clients.
Each of the plurality of the security information servers includes a processor and a memory, is logically associated with one or more security devices, and is in electronic communication via an IP network with each of the associated security devices. Processing logic is stored in memory for controlling each of the associated security devices responsive to a request for a security information service or the occurrence of a security event. Information as to the state of each security information device is also stored in the memory of the security information server logically associated with the device. Each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers. Each of the plurality of security information clients is in electronic communication with at least one of the security information servers via an IP network. Each security information client is comprised of a processor and a memory, and processing logic is stored in the memory for providing a user interface to the security information client, for sending a request for a security information service to at least one of the security information server, and for receiving a security information service from at least one security information server in response to the request or the occurrence of a security event. User priority information can be stored in the memory of the security information server, and the processing logic of the security information server includes logic that uses the user priority information for determining which user has priority to a particular security device when more than one user attempts to control simultaneously the device.
These embodiments of the present invention will become apparent to those skilled in the art after a reading of the following description when considered in conjunction with the drawings. It should be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of or limiting to the invention as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram of the software architecture system of the present invention;
Figure 2 is high level diagram of an exemplary physical security management system based on the software architecture system of the present invention;
Figure 3 is a diagram of the physical components of an exemplary physical security management system;
Figure 4 is a data flow diagram and schematic for the security information client of the present invention; Figure 5 is a data flow diagram and schematic for the security information server of the present invention; and
Figure 6 is a flow diagram illustrating one method for a user to request and receive access to security devices.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The headings used herein are meant only to aid the reader and are not meant to be limiting or controlling upon the invention. Generally, the contents of each heading are readily utilized in the other headings.
An embodiment of the present invention is directed to a software architecture system for providing security information services over a packet switched network, such as a network using the Internet Protocol ("IP"). By "security information services," I mean the information that is electronically communicated between a computerized physical security information management system and the physical security devices. The physical security devices include devices that provide surveillance, access control, alarms, intrusion detection, perimeter security, lighting, locks and key control for a secure facility, such as a prison.
Another embodiment of the system is an implementation of the software architecture system to provide security information services over a packet switched network. Software Architecture 10
As shown in Figure 1, the software architecture 10 of the present invention is graphically illustrated on a block diagram. In an embodiment, the software architecture 10 is based on a component object model ("COM"), which is a framework for developing and supporting software component objects. By "software component," I mean a reusable program building block that can be combined with other components in the same or other computers in a distributed network to form an application. As known to those skilled in the programming arts, components can be deployed on different servers in a network and communicate with each other for needed services. A component runs within a context called a "container." By "container," I mean an application program or subsystem in which the component is run.
Returning to Figure 1, generally, the software architecture 10 includes a security information client framework 12 and a security information server framework 14, each of which will be described in enabling detail below.
• Security Information Client Framework 12
The security information client framework 12 provides a structure for developing a security mformation client program. The security information client framework 12 includes a container 16, in which software objects are run. The container 16 is used to provide a user interface 18, one or more virtual connections 20 with the security devices of the security system and a security information server link 24. The container could be, for examples, a page on a Web site, a Web browser, a word processor, a Visual C program, a Nisual C++ program, a Visual C# program, a Visual Basic program, or a Java program.
The user interface 18 can be constructed using, for example, the Microsoft Foundation Class ("MFC") library, which is available from Microsoft Corporation of Redmond, Washington. As is known to those skilled in the programming arts, the MFC library includes classes for all graphical user interface elements, such as windows, frames, menus, tool bars, status bars, etc.
The security information client framework 12 also includes one or more software components for creating a virtual connection 20 between a security information client program and a security device 22. By "virtual connection" I mean that the communication between the security information client program and the security device occurs over a packet switched network. Preferably, there is a virtual connection component for each security device of the physical security system. The security information client framework 12 also includes a security information server link 24, which is a software component that facilitates all communications between a security information client program and one or more a security information server programs.
• Security Information Server Framework 14
The security information server framework 14 is a structure for developing a plurality of security information server programs. The security mformation server framework 14 includes a network scanner 26, a device manager 28, a messaging queue 30 and a security information client link 38, each of which is discussed in enabling detail below.
The network scanner 26 provides the functions of identifying each of the security devices that are present on the network, listening for and handling events that are generated by any of the security devices present on the system, and providing services to reprogram security devices. By "present on the network," I mean that a particular security device has an IP address and can send and receive data packets via the IP address. Alternative, legacy security devices that are not IP addressable communicate with the security information via a device with an IP address that is interposed between the legacy security device and the server. By "event," I mean, an action or occurrence detected by a security information server program.
The device manager 28 determines whether a particular security information client program is authorized to access a particular security information device and whether a particular user is authorized to access a particular security device.
The messaging queue 30 allows all of the software components of the architecture to communicate with each other. The messaging queue 30 is the mechanism through which a security information client program and a security information server program request network resources, such as, a security device. Specifically, the message queue is a method by which process (or program instances) can exchange or pass data using an interface to a system-managed queue of messages. Messages can vary in length and be assigned different types or usages. A message queue can be created by one process and used by multiple processes that read and/or write messages to the queue. For example, a security information server process can read and write messages from and to a message queue created for security information client processes. The message type can be used to associate a message with a particular client process even though all messages are on the same queue. As is known to skilled programmers, the message queue is managed by the operating system (or kernel). Application programs (or their processes) create message queues and send and receive messages using an application program interface (API). Typically, most operating systems have a "get message" function that is used with various parameters specifying the action requested, message queue ID, message type, etc. The message queue 30 is comprised of a broadcast queue 32, one or more service management queues 34 and one or more service specific queues 36, each of which will be discussed in enabling detail below. The broadcast queue 32 is used to send and receive "wake up" messages from a security information server or client program. By "wake up message," I mean the mechanism by which a security information server program advises other security information server programs that it is present on the network and available to send and receive messages. Preferably, at a predefined time interval, each security information server program sends a data packet to the broadcast queue so that each security information server program is aware of the other security information server programs that are available. The data packet preferably includes the IP address of the computer upon which the security information server program is running, and permits a queue manager to establish or reconnect to queues specific to a security information server program.
The service management queue 34 is used by security information server and client programs to establish a specific service queue and to notify other security information server programs of problems with queues specific to a particular security information server program. The service management queue 34 is analogous to the "D- channel" of an Integrated Services Digital Network ("ISDN").
A service specific queue 36 is used by each security information server or client program to perform system services, including security information services. Each security information specific queue 36 belongs to a queue pool, which in turn is connected to a dedicated network socket. This architecture advantageously allows for extensibility of the security system and ensures because there will be sufficient resources available to manage the system.
The system also includes a database, such as a SQL server, which is used to log events that occur within the system and to store system information necessary to provide specific security information services. The message queues electronically communicate with the SQL server in order to perform the requested service. For example, the information needed to communicate with a specific camera, such as its IP address, is not stored by the security information client. The client need only know the system name and the IP address is obtained from the database and returned to the service specific queue. The security information server framework 14 also includes a security information client link 38, which is a remotable class that facilitates all communications between a security information client program and one or more security information server programs. The main components of the software architecture system of the present invention having been described above, I will now describe in enabling detail an exemplary implementation of the software architecture. Implementation of the Software Architecture
Turning now to Figure 2, an implementation of the software architecture system of the present invention is shown. Shown generally as 100, the computerized physical security management system comprises at least one security information client 120 that provides a user interface to the security system. At least one, and preferably multiple servers 140, refeπed herein as security information servers, are in electronic communication with one or more of the clients 120. These servers 140 are also in electronic communication with one another for distributing information about the "state" of the security devices associated with the system, as described in greater detail below. Each security information server 140 in the system 100 is logically associated with, and therefore, has control over, a selected group of security devices 150, 160, 170, and 180. The group of security devices with which a server 140 is associated is sometimes referred to as a "domain." The security devices may include, but are not limited to fixed cameras, pan-tilt-zoom ("PTZ") cameras, access control devices, alarms, intrusion detection devices, perimeter security devices, lighting devices, locks, key control devices and intercoms. Security devices may include a processor and a memory. Instructions for controlling the security device are stored in the memory and are executed by the processor. Security devices also have network adapters, which provide a physical interface to the network to which the security devices are connected, such as an IP network. Alternatively, programmable logic controllers may be interposed between a server 140 and the security devices.
Figure 3 is a diagram of the physical components of an exemplary physical security management system 100 of the present invention. More specifically, the physical components of the security information client 120 is shown in greater detail. While the system 100 requires only one client 120, the present system 100 is extensible to accommodate an unlimited number of clients via the Ethernet connection to the system.
Preferably, the client 120 is a desktop or laptop computer 122 with a processor and a
memory. Desirably, the processor is at least a Pentium IN® processor, which is available
from Intel Corporation of Santa Clara, California, or an equivalent processor. At least one monitor or display 126 is in electronic communication with the computer 122, but as many as four monitors 126 may be connected, so that the user has expanded access and viewing capability. For example, multiple monitors 126 will permit the user to access multiple security devices simultaneously.
User interface at the workstation 120 may include a conventional keyboard 123, a conventional pointing device 125, such as a mouse, or a three-dimensional pointing device 127. In one embodiment, a three-dimensional pointing device 127, such as a SpaceMouse XT, available from 3Dconnexion of Silicon Valley, California, enables the user to provide input without the need for a keyboard 123 or other pointing device 125. The SpaceMouse XT pointing device 127 is connected to the computer 122 via a universal serial bus (USB) interface that is driven by a DirectX driver. As used with the SpaceMouse XT joystick, the user is able to manipulate a PTZ camera in three dimensions. As those skilled in the art will appreciate, there are numerous pointing devices and other peripherals, which may be satisfactorily used with computer 122, depending upon the particular application. Referring again to Figure 3, the physical components of the security mformation server 140 are shown in greater detail. As with the security information client 120, only one security information server 140 is required for the system 100 of the present invention. The security information server 140 comprises a computer 141 for running the software that controls and/or provides access to the security devices 150 through 180, and
other network resources. The computer 141 desirably contains a Pentium IV® or equivalent processor. While not required, a monitor 142 and keyboard 143 may be provided so that system administrators can perform routine maintenance, backup, etc. Electronically connected to at least one computer 141 is a redundant array of inexpensive disks (RAID) 144. As those skilled in the art will appreciate, the RAID provides a data storage method in which data is distributed across a group of computer disk drives that function as a single storage unit. In the present implementation, all of the system information is stored on each of the disks in the array so that no data is lost if one of the disks fails. For example, the RAID stores video images that have been captured and saved, in JPEG or MPEG formats, for example. A suitable RAID is comprised of an Escalade 7500 Series ATA RAID controller card, one to four Escalade RDC-300 drive carrier cages, each of which can accommodate three hard drives, and one to twelve 160GB ATA 133 IDE hard drives, which are available from 3Ware, Inc. of Mountain View, California.
Additionally, where a security mformation server 140 controls cameras, a network video recorder server 145 is provided for recording digitized video images. One suitable network video recorder server 145 is Model 6022P-6, which is available from SuperMicro Computer, Inc. of San Jose, California.
Each security information server 140 is logically associated with and controls a selected group of security devices 150, 160, 170, and 180. That is, each of the security devices is in electronic communication with only one server 140. While there is no established minimum number of devices within the domain of a server 140, it has been found that associating no more than 48 video and/or audio devices, such as cameras, per server 140 is optimal.
Functions performed by the security information server include determining whether a particular security information client is authorized to access a particular security device and determining whether a particular user is authorized to access a particular device. User priority information can be stored in the memory of the security information server, and the the security information server includes processing logic that uses the user priority information for determining which user has priority to a particular security device when more than one user attempts to control a particular security device at the same time.
In one implementation of the present invention, and as shown in Figure 3, server 140 controls a plurality of fixedly mounted IP addressable cameras 170, IP addressable pan-tilt-zoom (PTZ) cameras 180, intercom stations 150, and electronic door locks 160. IP addressable cameras 170 suitable for the present implementation include digital IP cameras available from Indigo Vision Group, pic of Edinburgh, United Kingdom, as Model No. VP603W53-NTSC. IP addressable PTZ cameras 180 are available from Ultrak, Inc. of Lewisville, Texas as Model No. KD6. The signals for these devices will either have built-in network video cards or must route their signals through a network interface device, such as a VB6004 available from Indigo Vision, or a network card within the server computer. A video server 182 may be provided with the PTZ camera 180 to digitize the analog signal from the camera. The video server used in the present implementation is available from Indigo Vision as Model VB6004.
The security information clients 120, security information servers 140, and security devices 150, 160, 170, and 180 are interconnected by a system of coaxial cable, fiberoptic cable, or twisted-pair wiring as is conventional for Ethernet installations. As shown in Figure 3, the plurality of security devices 150, 160, 170, and 180 are directly interconnected to a first network switch 135. Dual fiber uplinks 135a, 135b from the first network switch 135 are then interconnected to redundant second network switches 137, 138. The redundancy of the second network switches provides an added level of reliability against the failure of one of the switches 137, 138. Switches 137, 138 provide dual feeds to computer 141 at the security information server 140. Switches 137, 138 also enable electronic communication between the plurality of security information servers 140. Dual uplinks 137a, 138a from switches 137, 138 provide interconnection to a third network switch 139 which is electronically connected to one or more security information client computers 122. As those skilled in the art will appreciate, the plurality of network switches 135, 137, 138, and 139 permit the system 100 to be configured in either a ring or star topology, and desirably both.
A simplified functional block diagram for the security information client 120 user interface is shown in Figure 4. The user interface to the security information client 120 is comprised of software components, such as ActiveX controls, that run in a container 410. For the present invention, the container is an application program developed in Visual C. ActiveX is preferred because it provides a set of technologies that enable software components, such as VideoBridge for Indigo Vision IP addressable cameras, to interact with one another in the network environment, regardless of the language in which the components were created. As those skilled in the art will appreciate, other containers can be used, such as a web browser, a Visual C++ program, a Visual C# program, a Visual Basic program, a Java program or an InTouch program. InTouch is a human machine interface program available from the Wonderware division of Ivensys, pic of London, England.
Embedded as ActiveX controls in the container 410 are logic equations 420 that govern the client's interaction with the system 100. A family of ActiveX controls, shown in Figure 4 as 441 through 445, have been developed to control the client's interaction with the security devices based upon the protocol of each type of device. An input control 442 provides interaction between an input device, such as a three-dimensional pointing device 127, and the client. A sound control 441 facilitates communications between the client and an audio device, such an intercom. A monitor control 443, 444, 445 facilitates communication between the client and a video device, such as an IP camera. Such a control is sometimes refeπed to a a "soft monitor." In one embodiment, a client may run up to 16 soft monitors, which would permit the simultaneous display of images from 16 video cameras on client monitor 126. Where multiple monitors 126 are connected to the client computer 122, multiple devices may be accessed and displayed. Turning now to Figure 5, a functional block diagram of the security information server 140 is shown. The operating environment for the server 140 is based on the Microsoft .NET platform. Network access functionality 520 comprises the communications link 522 with each of the security information clients 120 and the other security information servers 140.
Once a user has logged onto a client computer 122, the system communicates the fact of the logon of the specific user to each server computer 141 available on the system. Via the link 522, each server computer 141 communicates back to the client information as to the devices that are available and that the user is authorized to access.
Also running on each server computer are customizable rules and logic equations, shown generally as 523. That is, each security information server 140 is programmed with general rules and logic concerning the devices under its control, as well as rules determining whether a particular user is authorized to access a particular device. For example, where the security devices comprise locked doors A and B, the logic may not permit door B to be unlocked if door A is already unlocked.
Remote classes 524 provide background functionality for the security information server 140. These routines handle, for example, abstraction, determine the status of devices, and activate preprogrammed tasks, such as interlock enables, door hold opens, function forces, and camera presets.
A SQL server database 526 stores device configuration data, maintains a log of events, and provides requested reports.
Microsoft Message Queue 528 also runs on the server computer 141 to handle routine messages such as routine reports, software updates, etc. Routine messages do not include requests for access to security devices, which must be handled expeditiously. A device scan and administrative function 529 is a set of routines that permit a system administrator to add or delete devices accessible via the security information server 140. A device interface routine 525 is provided by the server for a particular device. If, however, a client "leases" a particular device from the server, the server may relinquish control of certain functions of the leased device to the client. By "lease," I mean that the client has exclusive control over the device and the device is no longer available to any other client. Certain devices that cannot be accessed by more than one client at the same time, such as intercoms and door locks, must be leased exclusively to one client.
Lastly, where a network video recorder server 145 is used in conjunction with a security information server 140, network video recorder software 510 provides the video recording and playback function.
In operation, and as shown in Figure 6, a user can access 610 the system 100 via a security information client computer 122. As those skilled in the art will appreciate, and as is conventional in network systems, user access is granted based upon entry of a user identification and password. Once logged onto the network, the operating system software transmits a broadcast message to each of the security information servers 140 in the system that the particular user is logged on. As part of this broadcast, the security information client 120 requests from each server 140 the status of security available devices. Each server then communicates 620 back to the client 120 the devices that are available and the devices the user is authorized to access. Each user's access to security devices may be customized for the user depending upon the user's position, priority, etc. For example, a particular user may have access to cameras, but may not have permission to manipulate door locks or other securing devices. Permissions are stored in memory at each of the security information servers 141.
A menu, or the like, on the monitor 126 displays representations of the available devices that the user is authorized to control and/or view. The user can then begin requesting 630 access to specific devices up to the user's authorized maximum. In one embodiment of the present invention, each user is limited to 32 devices at any one time. As described above, each of the security information servers 141 are in electronic communication with each other, wherein, at predetermined time intervals, every minute, for example, each of the servers 141 communicates 640, or distributes information, about the state of the security devices logically associated with the server. By way of example, suppose the maximum number of devices a user can access is 32, and that the user has been granted access to 14 devices from server A and 18 devices from server B. If the user then requests access to a device from server C, the user will be denied access to the device based on information provided by servers A and B as to the number of devices to which the user currently has access. If a user has not accessed the maximum number of devices, and is authorized to access a requested device, then access will be granted 650. Responsive to the user's request, the appropriate server 141 will turn on the device and provide an appropriate acknowledgement to the user. In the case of a fixed camera 170, the server will enable a soft monitor on the user's monitor with a video image of the particular area in the facility that is monitored by the fixed camera 170. The user can have multiple soft monitors enabled on the monitor at any one time, but desirably each client will be limited to 16 soft monitor images. In the case of a PTZ camera 180, the user will be provided a video image, and if authorized, will be allowed to manipulate the camera 180 by means of the three-dimensional pointing device. Because the user's access to a particular device is also based upon priority, the user' s access to a particular device may be terminated by the server 141 if a user with a higher priority requests the device. Additionally, in one implementation of the system of the present invention, access to a device is fixed at a predetermined time; e.g., 1 minute.
Although the present invention has been described with preferred embodiments, it is to be understood that modifications and variations may be utilized without departing from the spirit and scope of the invention, as those skilled in the art will readily understand. Such modifications and variations are considered to be within the purview and scope of the appended claims and their equivalents.

Claims

What is claimed is:
1. A software architecture system for providing security information services over a packet switched network, comprising: (a) a security information client framework for developing a security information client program, the security information client framework being comprised of:
(i) a container program for one or more software components, wherein each of the software components runs in the container program;
(ii) one or more software components for providing a user interface to the security mformation client program; (iii) at least one software component for providing communication to and from a security information server program; and (iv) at least one software component for providing a virtual connection between the security information client program and a security device; (b) a security information server framework for creating a plurality of security information servers, wherein the security information server framework is comprised of: (i) a security device manager for determining whether a particular security information client program is authorized to access a particular security information device and whether a particular user is authorized to access a particular security device; (ii) a network scanner for identifying security devices that are present on the network and for handling events received from a security device; and
(iii) a messaging queue, wherein the messaging queue is comprised of: a. a broadcast queue, wherein the broadcast queue sends and receives messages to and from each of the plurality of security information server programs, wherein the messages include information as the availability of each security information server program; b. one or more service management queues; and c. one or more security mformation service specific queue, wherein specific security information services are provided via one of the security information service specific queue; wherein each security information server program requests a security information service specific queue via one of the service management queues; and (iv) at least one software component for providing communication from and to a security information client program.
2. The software architecture system of claim 1, further comprising a leasing service, wherein a security information client program controls a security device via the leasing service.
3. The software architecture system of claim 2, wherein the leasing service limits the security information client program's control of the security device to a predetermined amount of time.
4. A computer based system for providing security information services, comprising:
(a) a plurality of IP networked security devices, wherein each security device includes a processor, a memory and a network adapter;
(b) a security information server in electronic communication with each of the security devices via the IP network, wherein each security information server is comprised of a processor and a memory, wherein processing logic is stored in the memory for controlling each of the plurality of security devices responsive to a request for a security information service or an occvurence of a security event; and (c) a security information client in electronic communication with the security information server via the IP network, wherein the security information client is comprised of a processor and a memory, wherein processing logic is stored in the memory for providing a user interface to the security information client for sending a request for a security information service to the security information server and for receiving a security information service from the security information server in response to the request or the occurrence of a security event.
5. The system of claim 4, wherein more than one security device can be controlled simultaneously by the user via the user interface.
6. The system of claim 4, wherein the security device is an IP video camera for transmitting a video signal to the security information server.
7. The system of claim 6, wherein the video signal received by the security information server is transmitted to the security information client, and is displayed on the security information client via the user interface.
8. The system of claim 7, wherein a user can control the IP video camera via the user interface.
9. The system of claim 8, further comprising a 3-dimensional pointing device that electronically communicates with the security information client, wherein the user can control the video camera via the 3-dimensional pointing device.
10. The system of claim 9, wherein the 3-dimensional pointing device interfaces with the security information client via a DirectX driver.
11. The system of claim 4, wherein the security information server is further comprised of a digital video recorder, wherein the digital video recorder receives video signals from the video camera via the security information server, stores the video signals, and serves the stored video signals to the security information client via the security information server.
12. The system of claim 4, wherein the security device is an access control device.
13. The system of claim 12, wherein the access control device is an electronic lock.
14. The system of claim 4, wherein the security device is an alarm.
15. The system of claim 4, wherein the security device is an intrusion detection device.
16. The system of claim 4, wherein the security device is a lighting device.
17. The system of claim 4, wherein the security devices is an audio communication device.
18. The system of claim 17, wherein the audio communication device is an intercom.
19. The system of claim 4, wherein the security device is further comprised of a programmable logic controller, wherein the programmable logic controller is in electronic communication with the security information server and the security device.
20. The system of claim 4, wherein the processing logic of the security information server includes logic for determining whether a user is authorized to access a security information client.
21. The system of claim 4, wherein the processing logic of the security information server includes logic for determining whether a user is authorized to control a particular security device.
22. The system of claim 4, wherein the processing logic of the security information server includes logic for determining the number of security devices that a user can control at the same time.
23. The system of claim 22, wherein the number of security devices that a user can control at the same time is determined on the basis of the physical limitations of the network.
24. The system of claim 4, wherein the security information client is a container for a software component.
25. The system of claim 24, wherein the container is selected from the group consisting of a web browser, a Visual C program, a Visual C++ program, a Visual C# program, a Visual Basic program, a Java program and an InTouch program.
26. The system of claim 24, wherein the software component is an ActiveX control.
27. The system of claim 24, wherein the software component is a JavaBean.
28. The system of claim 24, wherein the function of the software component is selected from the group consisting of video monitor control, input device control and audio device control.
29. A computer based system for providing security information services, comprising:
(a) a plurality of IP networked security devices, wherein each security device is comprised of a processor, a memory and a network adapter;
(b) a plurality of security information servers, wherein each security information server is comprised of a processor and a memory, wherein each security information sever is logically associated with one or more security devices and is in electronic communication via an IP network with each of the associated security devices, wherein processing logic is stored in the memory for controlling each of the associated security devices responsive to a request for a security information service or the occuπence of a security event, wherein information as to the state of each security information device is stored in the memory of the security information server logically associated with the device, and wherein each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers; and (c) a security information client in electronic communication with at least one of the security information servers via an IP network, wherein in each security information client is comprised of a processor and a memory, wherein processing logic is stored in the memory for providing a user interface to the security information client for sending a request for a security information service to the at least one of the security information server and for receiving a security information service from the at least one security information server in response to the request or the occurrence of a security event.
30. A computer based system for providing security information services, comprising:
(a) a plurality of IP networked security devices, wherein each security device is comprised of a processor, a memory and a network adapter; (b) a plurality of security information servers, wherein each security information server is comprised of a processor and a memory, wherein each security information sever is logically associated with one or more security devices and is in electronic communication with each of the associated security devices via the IP network, wherein processing logic is stored in the memory for controlling each of the associated security devices responsive to a request for a security information service or the occurrence of a security event, wherein information as to the state of each security information device is stored in the memory of the security information server logically associated with the device, and wherein each security information server is in electronic communication with the other security information servers so that each security information server is aware of the status of each device associated with each of the other security information servers; and (c) a plurality of security information clients, wherein each security information client is in electronic communication with at least one of the security information servers via an IP network, wherein each security information client is comprised of a processor and a memory, wherein processing logic is stored in the memory for providing a user interface to the security information client for sending a request for a security information service to the at least one of the security information server and for receiving a security information service from the at least one security information server in response to the request or the occurrence of a security event.
31. The system of claim 30, wherein user priority information is stored in the memory of the security information server.
32. The system of claim 31, wherein the processing logic of the security information server includes logic that uses the user priority information for determining which user has priority to a particular security device when more than one user attempts to control simultaneously the particular security device.
PCT/US2003/027556 2002-09-10 2003-09-03 Software architecture system for a security management system WO2004025893A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003268402A AU2003268402A1 (en) 2002-09-10 2003-09-03 Software architecture system for a security management system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US23818002A 2002-09-10 2002-09-10
US10/238,180 2002-09-10

Publications (1)

Publication Number Publication Date
WO2004025893A1 true WO2004025893A1 (en) 2004-03-25

Family

ID=31990920

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/027556 WO2004025893A1 (en) 2002-09-10 2003-09-03 Software architecture system for a security management system

Country Status (2)

Country Link
AU (1) AU2003268402A1 (en)
WO (1) WO2004025893A1 (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4321625A (en) * 1977-11-16 1982-03-23 Lectrolarm Custom Systems, Inc. Control system for plurality of video cameras
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
US5546584A (en) * 1992-07-01 1996-08-13 Lundin; Kenneth System and method for establishing communication protocols between application programs
US5589878A (en) * 1993-10-20 1996-12-31 Videoconferencing Systems, Inc. Method of determining an error in a video conferencing system camera
US5710908A (en) * 1995-06-27 1998-01-20 Canon Kabushiki Kaisha Adaptive network protocol independent interface
US5805812A (en) * 1996-05-15 1998-09-08 Electronic Data Systems Corporation Communication system for the remote control of equipment
US5838970A (en) * 1994-10-04 1998-11-17 Recognition International Inc. Object-oriented computer environment and related method
US6064406A (en) * 1994-04-15 2000-05-16 Microsoft Corporation Method and system for caching presentation data of a source object in a presentation cache
US6138237A (en) * 1997-09-04 2000-10-24 Bistream Inc. Apparatuses, methods, and media for authoring, distributing, and using software resources with purposely restricted use
US6370582B1 (en) * 1999-05-28 2002-04-09 Adc Technologies International Pte Ltd. Method and system for providing cross-platform remote control, monitoring, and up-dating of a facility access controller

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4321625A (en) * 1977-11-16 1982-03-23 Lectrolarm Custom Systems, Inc. Control system for plurality of video cameras
US5546584A (en) * 1992-07-01 1996-08-13 Lundin; Kenneth System and method for establishing communication protocols between application programs
US5589878A (en) * 1993-10-20 1996-12-31 Videoconferencing Systems, Inc. Method of determining an error in a video conferencing system camera
US6064406A (en) * 1994-04-15 2000-05-16 Microsoft Corporation Method and system for caching presentation data of a source object in a presentation cache
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
US5838970A (en) * 1994-10-04 1998-11-17 Recognition International Inc. Object-oriented computer environment and related method
US5710908A (en) * 1995-06-27 1998-01-20 Canon Kabushiki Kaisha Adaptive network protocol independent interface
US5805812A (en) * 1996-05-15 1998-09-08 Electronic Data Systems Corporation Communication system for the remote control of equipment
US6138237A (en) * 1997-09-04 2000-10-24 Bistream Inc. Apparatuses, methods, and media for authoring, distributing, and using software resources with purposely restricted use
US6370582B1 (en) * 1999-05-28 2002-04-09 Adc Technologies International Pte Ltd. Method and system for providing cross-platform remote control, monitoring, and up-dating of a facility access controller

Also Published As

Publication number Publication date
AU2003268402A1 (en) 2004-04-30

Similar Documents

Publication Publication Date Title
US5666534A (en) Method and appartus for use by a host system for mechanizing highly configurable capabilities in carrying out remote support for such system
US9043813B2 (en) Inmate information center for correctional facility processing
US5652908A (en) Method and apparatus for establishing communications sessions in a remote resource control environment
KR100551348B1 (en) Method and system for providing cross-platform remote control and monitoring of facility access controller
US6052456A (en) Graphical shelf navigator for a telecommunications switch management system
US7340314B1 (en) Facilities management system with local display and user interface
US6944654B1 (en) Multiple storage array control
US20060282886A1 (en) Service oriented security device management network
US20020005781A1 (en) Networks and circuits for alarm system operations
US6529938B1 (en) Method, system, and program for executing operations on a client in a network environment
CN1679300A (en) Remote dynamic configuration of a web server to provide capacity on demand
JP2002533838A (en) System and method for dynamic file access on client server
JPH077368B2 (en) Electronic data processing device monitoring system and method
JP2006221376A (en) Plant emergency information display system and method, and web server
CN100596067C (en) Information processing apparatus and information processing method
KR101974278B1 (en) Remote Control System for Semiconductor Equipment
KR100452880B1 (en) GUI based integrated remote management system for controlling power on-off and picture of the remote computer system and generating alarm signal
WO2004025893A1 (en) Software architecture system for a security management system
JPH096655A (en) System management device
EP3846030B1 (en) Resource view in a modular control system
CN101291247A (en) Information transmission method for information servo
Cisco Starting and Stopping Cisco WAN Manager
WO2020175031A1 (en) Control device, management program, and control system
JP2002171506A (en) Computer operation management system and operation management method
JPH06337833A (en) Apparatus for giving of open system environment of open distributed digital system and network system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP