CN106790149A - The method and system that a kind of defence IoT equipment is invaded - Google Patents
The method and system that a kind of defence IoT equipment is invaded Download PDFInfo
- Publication number
- CN106790149A CN106790149A CN201611238992.7A CN201611238992A CN106790149A CN 106790149 A CN106790149 A CN 106790149A CN 201611238992 A CN201611238992 A CN 201611238992A CN 106790149 A CN106790149 A CN 106790149A
- Authority
- CN
- China
- Prior art keywords
- current device
- white list
- request
- invaded
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses the method and system that a kind of defence IoT equipment is invaded, including:The system login daily record of current device is monitored, if the continuous daily record quantity that unsuccessfully logs in that there is same IP exceedes setting value, the IP is blocked and is logged in current device;The process of current device is monitored, if the process for starting blocks the startup of the process not in process white list;The network request that monitoring current device is externally initiated, if network request is not in white list is asked, blocking current network request.Technical scheme of the present invention can effectively defend the Network Intrusion for IoT equipment.
Description
Technical field
The present invention relates to Internet of Things security technology area, more particularly to a kind of method invaded of defence IoT equipment and
System.
Background technology
With developing rapidly for internet, the fast development of Internet of Things is also advanced, and internet of things equipment is bringing
While convenient, similarly due to the defect and leak of internet of things equipment, cause attackers to start with internet of things equipment and send out
Rise and attack, its attack initiated is mainly DDOS(Denial of Service attack), by using the factory default account of internet of things equipment
The fragility of password, the problems such as ignore its security as well as user, causes attacker to be oozed by internet of things equipment
Thoroughly, guess password, and obtain the authority of equipment, and be implanted into malicious code-worm(Such as Mirai worms), and by long-range clothes
Business device controls the internet of things equipment, the characteristics of based on worm, further actively can go to infect other internet of things equipment, so as to lead
Cause large area internet of things equipment to fall into enemy hands, become the broiler chicken of attacker, and launch a offensive.And for the characteristic of worm malicious code
For, malicious code is only removed, can not thoroughly remove potential safety hazard.
Current, its detection for virus, wooden horse, worm etc. very ripe for the defense system of windows platform
Technology mainly including feature detection, network detection, malicious code behavioral value etc., and for internet of things equipment(Mainly include
The frameworks such as ARM, MIPS)Defence and remove it is also unsound.After internet of things equipment has infected malicious code, can be eliminated, can
Due to the characteristic of " Mirai " malicious code, its spread scope extensively, and can by remote control it is automatic go to infect other IoT set
It is standby, though being eliminated, can may also be infected afterwards.
The content of the invention
For above-mentioned technical problem, technical solutions according to the invention log in daily record, current device and open by monitoring system
Dynamic process and the network request externally initiated, and judged using white list mechanism, allowed if being present in white list
It is performed, and blocking operation, and then effectively Network Intrusion of the defence for IoT equipment are otherwise carried out in time.
The present invention adopts with the following method to realize:A kind of method that defence IoT equipment is invaded, including:
The system login daily record of current device is monitored, if the continuous daily record quantity that unsuccessfully logs in that there is same IP exceedes setting value,
Then block the IP and log in current device;
The process of current device is monitored, if the process for starting blocks the startup of the process not in process white list;
The network request that monitoring current device is externally initiated, if network request blocks current network not in white list is asked
Request.
Further, after described blocking IP logs in current device, also include:The IP is added into blacklist, forbids the IP
Log in current device.
Further, if the process for starting voluntarily starts for user, it is white that the process name is added into the process in advance
In list.
In the above method, the process white list is generated after setting up snapshot to system process in an initial condition.
Further, be stored with the domain name or IP that system update or known software update in the request white list
Address.
Further, also include:Backup operation is carried out to relevant information in current device system, if it is determined that current device meets with
After being invaded, the relevant information based on backup carries out recovery operation, and the relevant information includes:Overall file, system process or
Person's accounts information.
Further, also include:After the success of user's initial log, judge whether system password is weak passwurd, if then
User's Modify password is forced, in otherwise allowing to sign in current device.
The present invention can be realized using following system:The system that a kind of defence IoT equipment is invaded, including:
Daily record monitoring module, for monitoring the system login daily record of current device, if there is the continuous of same IP unsuccessfully logs in day
Will quantity exceedes setting value, then block the IP and log in current device;
Process monitoring module, the process for monitoring current device, if the process for starting is not in process white list, blocking should
The startup of process;
Request monitoring module, for monitoring the network request that current device is externally initiated, if network request is not in request white list
In, then block current network request.
Further, after described blocking IP logs in current device, also include:The IP is added into blacklist, forbids the IP
Log in current device.
Further, if the process for starting voluntarily starts for user, it is white that the process name is added into the process in advance
In list.
In said system, the process white list is generated after setting up snapshot to system process in an initial condition.
Further, be stored with the domain name or IP that system update or known software update in the request white list
Address.
Further, also include:Backup and Restore module, for carrying out backup behaviour to relevant information in current device system
Make, if it is determined that after current device is invaded, the relevant information based on backup carries out recovery operation, and the relevant information includes:
Overall file, system process or accounts information.
Further, also include:Weak passwurd monitoring module, for after user's initial log is successful, judging system password
Whether it is weak passwurd, if then forcing user's Modify password, in otherwise allowing to sign in current device.
To sum up, the present invention provides the method and system that a kind of defence IoT equipment is invaded, and is set by known Internet of Things
Standby related Botnet is attacked and studied, for example:" Mirai " Botnet, and then propose heretofore described side
Method and system, are applicable not only to the internet of things equipment of ARM, MIPS framework, and suitable for any Internet of Things of other correlations
In equipment, the particularity of characteristic and internet of things equipment first according to malicious code is monitored by system login information
It is made to determine whether to be illegal login authentication, illegal process initiation is prevented by process monitoring, by network request
Monitor to prevent illegal network request of outside initiation etc., the malicious code that is on the defensive from attacking, and handed over to provide user
Mutual convenience, invention increases white list mechanism, auxiliary user's addition allows the authority for accessing.
Have the beneficial effect that:Technical scheme of the present invention can in time defend the intrusion behavior for internet of things equipment, and
The IoT equipment for having infected malicious code is thoroughly removed by Backup and Restore.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the accompanying drawing to be used needed for embodiment below
Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
The embodiment of the method flow chart that Fig. 1 is invaded for a kind of defence IoT equipment for providing of the invention;
The system embodiment structure chart that Fig. 2 is invaded for a kind of defence IoT equipment for providing of the invention.
Specific embodiment
The present invention gives the method and system embodiment that a kind of defence IoT equipment is invaded, in order that this technology is led
The personnel in domain more fully understand the technical scheme in the embodiment of the present invention, and enable the above objects, features and advantages of the present invention
It is enough more obvious understandable, technical scheme in the present invention is described in further detail below in conjunction with the accompanying drawings:
Present invention firstly provides the embodiment of the method that a kind of defence IoT equipment is invaded, as shown in figure 1, including:
S101:The system login daily record of current device is monitored, if the continuous unsuccessfully login daily record quantity that there is same IP exceedes setting
Definite value, then block the IP and log in current device;
Specifically, the system login daily record of the monitoring current device includes:Monitoring is by telnet agreements or ssh agreements
Log-on message;
Wherein, after described blocking IP logs in current device, also include:The IP is added into blacklist.Purpose is to block to be somebody's turn to do
The follow-up logon attempt current devices of IP.
S102:The process of current device is monitored, if the process for starting blocks opening for the process not in process white list
It is dynamic;
Wherein, if the process for starting voluntarily starts for user, the process name is added in the process white list in advance, is entered
And block the startup of illegal process.Wherein, the process white list is to set up snapshot to system process in an initial condition
After generate.
S103:The network request that monitoring current device is externally initiated, if network request is blocked not in white list is asked
Current network is asked.Purpose is to block illegal external request, and then avoids the equipment invaded to continue to infect from source
Other IoT equipment in net;
Wherein, be stored with the domain name or IP addresses that system update or known software update in the request white list.
Preferably, also include:Backup operation is carried out to relevant information in current device system, if it is determined that current device is subjected to
After invasion, the relevant information based on backup carries out recovery operation, and the relevant information includes:Overall file, system process or
Accounts information.Purpose is thoroughly to remove the malicious code of infected IoT equipment.
Preferably, also include:After the success of user's initial log, judge whether system password is weak passwurd, if then strong
User's Modify password processed, in otherwise allowing to sign in current device.Specifically, judging to log in current device by HOOK technologies
Afterwards, whether system password is weak passwurd.The amended password of user is forced, at least needs to meet, letter, numeral and spcial character
Combination.And then avoid the possibility of the password by Brute Force of current device.
Secondly the present invention provides the system embodiment that a kind of defence IoT equipment is invaded, as shown in Fig. 2 including:
Daily record monitoring module 201, for monitoring the system login daily record of current device, if there is the continuous of same IP unsuccessfully logging in
Daily record quantity exceedes setting value, then block the IP and log in current device;
Process monitoring module 202, the process for monitoring current device, if the process for starting hinders not in process white list
The startup of the process of breaking;
Request monitoring module 203, for monitoring the network request that current device is externally initiated, if network request is not asking white name
Dan Zhong, then block current network request.
Preferably, after described blocking IP logs in current device, also include:The IP is added into blacklist, forbids the IP to step on
Record current device.
Preferably, if the process for starting voluntarily starts for user, the process name is added to the white name of the process in advance
Dan Zhong.
In said system embodiment, the process white list is after setting up snapshot to system process in an initial condition
Generation.
Preferably, the domain name or IP of system update or known software renewal are stored with the request white list
Location.
Preferably, also include:Backup and Restore module, for carrying out backup operation to relevant information in current device system,
If it is determined that after current device is invaded, the relevant information based on backup carries out recovery operation, and the relevant information includes:Totally
File, system process or accounts information.
Preferably, also include:Weak passwurd monitoring module, for after user's initial log is successful, judging that system password is
No is weak passwurd, if then forcing user's Modify password, in otherwise allowing to sign in current device.
Each embodiment in this specification is described by the way of progressive, same or analogous between each embodiment
Part is mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system
For embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method
The part explanation of example.
Above-described embodiment is applied to the internet of things equipment under current various architectural frameworks, the system by monitoring current device
Log in daily record, it is determined whether there is probing attack;The progress information of current device is monitored, and then determines whether new process
Start, and matched with process white list, its startup is blocked if not in process white list, and delete associated process file;Prison
The network request that control current device is externally initiated, and whether the network request is judged in white list is asked, if it is determined that it is
Illegal request is then blocked;It is further preferable that by detecting whether current system password is weak passwurd, and force user to change
The weak passwurd of current system, if not Modify password, other operations of limitation user to current device system, so as to limit
The login of unartificial operation.The above embodiment of the present invention, can effectively prevent disabled user or malicious code invasion from currently setting
It is standby, and thoroughly can remove malicious code, and restorer system by the means of Backup and Restore.
Above example is used to illustrative and not limiting technical scheme.Appointing for spirit and scope of the invention is not departed from
What modification or local replacement, all should cover in the middle of scope of the presently claimed invention.
Claims (14)
1. a kind of method that defence IoT equipment is invaded, it is characterised in that including:
The system login daily record of current device is monitored, if the continuous daily record quantity that unsuccessfully logs in that there is same IP exceedes setting value,
Then block the IP and log in current device;
The process of current device is monitored, if the process for starting blocks the startup of the process not in process white list;
The network request that monitoring current device is externally initiated, if network request blocks current network not in white list is asked
Request.
2. the method for claim 1, it is characterised in that after the blocking IP logs in current device, also include:Should
IP adds blacklist, forbids the IP to log in current device.
3. the method for claim 1, it is characterised in that if the process for starting voluntarily starts for user, it is advance should
Process name is added in the process white list.
4. the method as described in claim 1 or 3, it is characterised in that the process white list is in an initial condition to system
Process is generated after setting up snapshot.
5. the method for claim 1, it is characterised in that be stored with system update or known in the request white list
The domain name of software upgrading or IP addresses.
6. the method for claim 1, it is characterised in that also include:Relevant information in current device system is carried out standby
Part operation, if it is determined that after current device is invaded, the relevant information based on backup carries out recovery operation, the relevant information bag
Include:Overall file, system process or accounts information.
7. the method for claim 1, it is characterised in that also include:After the success of user's initial log, judge that system is close
Whether code is weak passwurd, if then forcing user's Modify password, in otherwise allowing to sign in current device.
8. the system that a kind of defence IoT equipment is invaded, it is characterised in that including:
Daily record monitoring module, for monitoring the system login daily record of current device, if there is the continuous of same IP unsuccessfully logs in day
Will quantity exceedes setting value, then block the IP and log in current device;
Process monitoring module, the process for monitoring current device, if the process for starting is not in process white list, blocking should
The startup of process;
Request monitoring module, for monitoring the network request that current device is externally initiated, if network request is not in request white list
In, then block current network request.
9. system as claimed in claim 8, it is characterised in that after the blocking IP logs in current device, also include:Should
IP adds blacklist, forbids the IP to log in current device.
10. system as claimed in claim 8, it is characterised in that if the process for starting voluntarily starts for user, it is advance should
Process name is added in the process white list.
11. system as described in claim 8 or 10, it is characterised in that the process white list is in an initial condition to being
System process is generated after setting up snapshot.
12. systems as claimed in claim 8, it is characterised in that be stored with system update or in the request white list
Know domain name or the IP addresses of software upgrading.
13. systems as claimed in claim 8, it is characterised in that also include:Backup and Restore module, for current device system
Relevant information carries out backup operation in system, if it is determined that after current device is invaded, the relevant information based on backup is recovered
Operation, the relevant information includes:Overall file, system process or accounts information.
14. systems as claimed in claim 8, it is characterised in that also include:Weak passwurd monitoring module, for when user it is initial
After logining successfully, judge whether system password is weak passwurd, if then forcing user's Modify password, otherwise allow to sign in currently
In equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611238992.7A CN106790149A (en) | 2016-12-28 | 2016-12-28 | The method and system that a kind of defence IoT equipment is invaded |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611238992.7A CN106790149A (en) | 2016-12-28 | 2016-12-28 | The method and system that a kind of defence IoT equipment is invaded |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106790149A true CN106790149A (en) | 2017-05-31 |
Family
ID=58923113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611238992.7A Pending CN106790149A (en) | 2016-12-28 | 2016-12-28 | The method and system that a kind of defence IoT equipment is invaded |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790149A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360148A (en) * | 2017-07-05 | 2017-11-17 | 深圳市卓讯信息技术有限公司 | Core design method and its system based on real time monitoring network safety |
| CN110099038A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Detect the attack to equipment is calculated |
| CN110830487A (en) * | 2019-11-13 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Abnormal state identification method and device for terminal of Internet of things and electronic equipment |
| CN111010384A (en) * | 2019-12-07 | 2020-04-14 | 杭州安恒信息技术股份有限公司 | Self-security defense system and security defense method for terminal of Internet of things |
| CN111385272A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | Weak password detection method and device |
| CN114519184A (en) * | 2022-04-20 | 2022-05-20 | 北京圣博润高新技术股份有限公司 | Account number encryption method, account number encryption device, account number encryption equipment and medium based on Agent process |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN103856371A (en) * | 2014-02-28 | 2014-06-11 | 中国人民解放军91655部队 | Safety protection method of information system |
| CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
| CN105721198A (en) * | 2016-01-20 | 2016-06-29 | 中国科学院信息工程研究所 | Video monitoring system log safety audit method |
-
2016
- 2016-12-28 CN CN201611238992.7A patent/CN106790149A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
| CN103856371A (en) * | 2014-02-28 | 2014-06-11 | 中国人民解放军91655部队 | Safety protection method of information system |
| CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
| CN105721198A (en) * | 2016-01-20 | 2016-06-29 | 中国科学院信息工程研究所 | Video monitoring system log safety audit method |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360148A (en) * | 2017-07-05 | 2017-11-17 | 深圳市卓讯信息技术有限公司 | Core design method and its system based on real time monitoring network safety |
| CN110099038A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Detect the attack to equipment is calculated |
| CN110099038B (en) * | 2018-01-31 | 2021-11-02 | 慧与发展有限责任合伙企业 | Detecting attacks on computing devices |
| US11658986B2 (en) | 2018-01-31 | 2023-05-23 | Hewlett Packard Enterprise Development Lp | Detecting attacks on computing devices |
| CN111385272A (en) * | 2018-12-29 | 2020-07-07 | 北京奇虎科技有限公司 | Weak password detection method and device |
| CN110830487A (en) * | 2019-11-13 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Abnormal state identification method and device for terminal of Internet of things and electronic equipment |
| CN111010384A (en) * | 2019-12-07 | 2020-04-14 | 杭州安恒信息技术股份有限公司 | Self-security defense system and security defense method for terminal of Internet of things |
| CN114519184A (en) * | 2022-04-20 | 2022-05-20 | 北京圣博润高新技术股份有限公司 | Account number encryption method, account number encryption device, account number encryption equipment and medium based on Agent process |
| CN114519184B (en) * | 2022-04-20 | 2022-07-15 | 北京圣博润高新技术股份有限公司 | Account number encryption method, account number encryption device, account number encryption equipment and medium based on Agent process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790149A (en) | The method and system that a kind of defence IoT equipment is invaded | |
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US20200028860A1 (en) | System and method for providing data and device security between external and host devices | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US7137145B2 (en) | System and method for detecting an infective element in a network environment | |
| US7308716B2 (en) | Applying blocking measures progressively to malicious network traffic | |
| KR101462311B1 (en) | Method for preventing malicious code | |
| US20140337977A1 (en) | Automated deployment of protection agents to devices connected to a distributed computer network | |
| US7886065B1 (en) | Detecting reboot events to enable NAC reassessment | |
| US20060282896A1 (en) | Critical period protection | |
| EP2132643A1 (en) | System and method for providing data and device security between external and host devices | |
| KR100961180B1 (en) | Apparatus and Method for Checking Personal Computer's Security | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| CN112688930A (en) | Brute force cracking detection method, system, equipment and medium | |
| De Boer et al. | Host-based intrusion detection systems | |
| WO2007096659A1 (en) | Phishing mitigation | |
| CN111756707A (en) | Back door safety protection device and method applied to global wide area network | |
| KR101343693B1 (en) | Network security system and method for process thereof | |
| KR101048000B1 (en) | DDoS Attack Detection and Defense | |
| EP1504323B1 (en) | Method and system for analyzing and addressing alarms from network intrustion detection systems | |
| WO2019242052A1 (en) | Method and device for protecting against http flood attack | |
| Phan et al. | Threat detection and mitigation with MonB5G components in the aLTEr scenario | |
| CN112351006B (en) | Website access attack interception method and related components | |
| Tupakula et al. | Techniques for detecting attacks on critical infrastructure | |
| JP2005332152A (en) | System, server, method and program for detecting and rejecting illicit access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170531 |
|
| WD01 | Invention patent application deemed withdrawn after publication |