CN111597520B - Computer USB interface information security prevention and control method and system - Google Patents
Computer USB interface information security prevention and control method and system Download PDFInfo
- Publication number
- CN111597520B CN111597520B CN202010420280.7A CN202010420280A CN111597520B CN 111597520 B CN111597520 B CN 111597520B CN 202010420280 A CN202010420280 A CN 202010420280A CN 111597520 B CN111597520 B CN 111597520B
- Authority
- CN
- China
- Prior art keywords
- user
- detection
- emotion
- control module
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a computer USB interface information security prevention and control method, which comprises the steps that external USB equipment is connected into a security management and control module, and the security management and control module sends a connection instruction to a management machine; the manager receives the connection instruction, controls the computer camera unit to be started, judges whether a user is an authorized person, if so, passes detection, and if not, passes permission detection again through the detection module; the detection information is sent to the management machine, the management machine controls the on-off of the internal switch of the safety control module according to the detection information, the on-off information is sent to the management machine, the access use authorities of all USB interfaces of the computer host are physically controlled, and meanwhile, the authority for checking the access is determined by applying an intelligent judging means, so that the information safety problem is effectively prevented and controlled, and the safety of the stored data of the computer is ensured.
Description
Technical Field
The application relates to the technical field of electronic information security, in particular to a computer USB interface information security prevention and control method and system.
Background
As the application of computers in daily life work is becoming wider, USB interfaces are being used more frequently, and plug and play is being performed. According to statistics, the efficiency of spreading malicious virus programs by the USB interface is highest in all physical interfaces except the network adapter interface, and the USB protocol can be used by an attacker to attack, so that the USB interface becomes a carrier for spreading a plurality of malicious programs and carrying out network security attack.
The types of attacks through USB are largely divided into the following categories: USB fishing, HID masquerading, 0-day exploit of USB, and USB-based power attacks. USB fishing attacks or infects target computers and electronic devices through USB interfaces through USB flash drives, mobile hard disks, charging treasures, mice and other portable devices. The HID disguise is that an attack program on the USB equipment disguises itself as the HID equipment (such as a keyboard and a mouse) through the USB interface, so that the purpose of controlling a host of a target system is achieved. The 0-day vulnerability of the USB is immediately controlled by the attack program as long as the system host is plugged in the USB device with the 0-day vulnerability attack program. USB-based power attacks USB Killer, which triggers power overload after USB is plugged into the device, causing permanent damage to the device. These attacks are very hidden and transmissible, and have very serious harm, and there are many cases in the world such as the case where an illiang nuclear power station is attacked through a USB interface in 2010.
The USB protective measures adopted at present are as follows: (1) disabling the USB interface. The USB interface is typically disabled by physical removal or blocking, and the disabled BIOS interface is set in the BIOS. These practices are very effective, but the USB interface is not usable at all due to choking and eating down, and often inconvenient to work. (2) And various firewalls and monitoring software are utilized to carry out USB interface safety control. The control mode of the software has a precaution effect on USB fishing attacks, and has no precaution to HID camouflage attacks and 0-day vulnerability attacks of USB equipment. Both the prior protective measures cannot effectively avoid potential information safety hazards under the condition of meeting the working requirements; in addition, with the continuous development of intelligent equipment in the modern society, the application of advanced leading-edge intelligent means to replace manual operation becomes trend, so that the novel means for preventing and controlling the information security of the USB interface is provided with great significance.
Disclosure of Invention
This section is intended to outline some aspects of embodiments of the application and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description of the application and in the title of the application, which may not be used to limit the scope of the application.
The present application has been made in view of the above-mentioned problems with existing USB safeguards.
Therefore, the technical problems solved by the application are as follows: the problem that the existing USB protective measures cannot effectively avoid potential information safety hazards by applying intelligent judging means under the condition of meeting working requirements is solved.
In order to solve the technical problems, the application provides the following technical scheme: the computer USB interface information safety prevention and control method comprises connecting an external USB device to a safety control module, and sending a connecting instruction to a manager by the safety control module; the manager receives the connection instruction, controls the computer camera unit to be started, judges whether a user is an authorized person, if so, passes detection, and if not, passes permission detection again through the detection module; and sending the detection information to the management machine, controlling the on-off of the internal switch of the safety control module by the management machine according to the detection information, and sending the on-off information to the management machine.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: judging whether the user is an authorized person or not, wherein the user is scanned by the camera unit, and the screenshot is sent to the face recognition unit; the face recognition unit scans the screenshot and recognizes the user; comparing the identified user with an authorized person database, and judging whether the user is an authorized person or not.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: if the user is judged to pass the detection by the authorized personnel, the data which the user refers to is tracked and recorded in real time.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: if the user is not an authorized person, performing permission detection again through the detection module comprises enabling the emotion detection unit to perform emotion detection of the user by the detection module; judging whether the emotion of the user is abnormal, if so, closing the viewing authority of all the materials, sending the screenshot of the user to a manager terminal, and if not, allowing to view the non-confidential materials through detection.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: and closing the checking authority of the confidential material before the detection module enables the emotion detection unit to detect the emotion of the user.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: and if the emotion detection of the user does not have abnormality, detecting the emotion change of the user in real time by the emotion detection unit, and judging whether the emotion of the user has abnormality in real time.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: and the shooting unit records and stores the screenshot after scanning the screenshot of the user.
As a preferable scheme of the computer USB interface information security prevention and control method, the application comprises the following steps: and when the external USB equipment is not connected to the safety control module, the physical switch configured in the safety control module is in a disconnected state by default.
In order to solve the technical problems, the application also provides the following technical scheme: the computer USB interface information safety prevention and control system comprises a safety control module which is in wireless connection with a manager for communication and cuts off or connects a power line of a USB interface according to a control instruction of the manager; the management machine is used for managing all the safety management and control modules, controlling the on-off of each USB interface according to the requirement of a user, providing functions of authority management, interface display, real-time warning and history inquiry, and sending notification short messages to the user when necessary; and the detection module is used for detecting the authority again when detecting the unauthorized personnel of the user.
As a preferable scheme of the computer USB interface information security prevention and control system, the application comprises the following steps: the detection module comprises an emotion detection unit, a control unit and a control unit, wherein the emotion detection unit is used for detecting emotion of the user; a judging unit for judging whether the emotion of the user is abnormal according to the information detected by the emotion detecting unit; and the control unit is used for controlling the checking and closing of the data.
The application has the beneficial effects that: the application provides a computer USB interface information security prevention and control method, which physically controls access and use authorities of all USB interfaces of a computer host, and simultaneously uses an intelligent judging means to determine access checking authorities, thereby effectively preventing and controlling information security problems and ensuring the security of stored data of a computer.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
FIG. 1 is a flowchart of the method provided by the application, in which FIG. 1 is a flowchart of the method for security, prevention and control of USB interface information provided by the application;
FIG. 2 is a block diagram of a USB interface information security control system provided by the application;
FIG. 3 is a flow chart of the security management and control module according to the present application;
FIG. 4 is a system block diagram of the USB interface information security prevention and control system provided by the application;
FIG. 5 is a block diagram of a supervisor according to the present application;
FIG. 6 is a product diagram of a universal management unit provided by the present application;
FIG. 7 is a product diagram of a communication unit provided by the present application;
FIG. 8 is a schematic block diagram of a security management and control module provided by the present application;
fig. 9 is a block diagram of a wireless electronic lock according to the present application;
FIG. 10 is a diagram illustrating an internal configuration of a security management and control module according to the present application;
FIG. 11 is a schematic hardware diagram of a security management and control module according to the present application;
fig. 12 is a schematic view of an overall scheme provided by the present application.
Detailed Description
So that the manner in which the above recited objects, features and advantages of the present application can be understood in detail, a more particular description of the application, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present application is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the application. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
While the embodiments of the present application have been illustrated and described in detail in the drawings, the cross-sectional view of the device structure is not to scale in the general sense for ease of illustration, and the drawings are merely exemplary and should not be construed as limiting the scope of the application. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Also in the description of the present application, it should be noted that the orientation or positional relationship indicated by the terms "upper, lower, inner and outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of describing the present application and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present application. Furthermore, the terms "first, second, or third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected, and coupled" should be construed broadly in this disclosure unless otherwise specifically indicated and defined, such as: can be fixed connection, detachable connection or integral connection; it may also be a mechanical connection, an electrical connection, or a direct connection, or may be indirectly connected through an intermediate medium, or may be a communication between two elements. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
Example 1
The USB protection measures adopted on the computer at present comprise disabling the USB interface and utilizing various firewalls and monitoring software to conduct USB interface safety control, but the two protection measures can not effectively avoid information potential safety hazards by applying intelligent judging means under the condition of meeting work requirements.
Therefore, referring to fig. 1, 3, 4, 8, and 10-12, a method for controlling information security of a USB interface of a computer is provided in the present application: a computer USB interface information security prevention and control method includes:
the external USB equipment is connected to the safety control module 100, and the safety control module 100 sends a connection instruction to the management machine 200;
the manager 200 receives the connection instruction, controls the computer camera unit to be started, judges whether the user is an authorized person, if so, passes the detection, and if not, passes the permission detection again through the detection module 300;
the detection information is sent to the supervisor 200, the supervisor 200 controls the on-off of the switch in the safety control module 100 according to the detection information, and the on-off information is sent to the supervisor 200.
To ensure complete and thorough safety protection and control of the USB interface, the safety protection and control must be performed by using a bottom hardware mode, and only software mode is adopted to perform safety protection, so that software loopholes exist to cause safety protection failure.
It is readily understood that: the application provides a computer USB interface information security prevention and control method, which relates to a security management and control module 100, a supervisor 200 and a detection module 300.
The safety control module 100 is installed on a USB interface of a host computer, and when the USB device is used, the USB device is inserted on the USB interface of the safety control module 100, and the safety control module 100 is used for establishing a controllable physical isolation switch between the USB interface of the host computer and an external USB device: the wireless electronic lock can be in wireless communication with the management machine 200 and can cut off or connect the power line of the USB interface according to the control instruction of the management machine 200. And as shown in fig. 10, the safety management module 100 includes: a safety control microprocessor (CPU) system, a double-throw relay, a data communication differential detection circuit, a wireless communication module and the like. The safety control CPU can be directly communicated with the inserted USB equipment for presetting authority checking, the communication process mainly reads out the ID of the USB equipment and an authorized secret key stored in the USB equipment, if the ID passes the verification, the double-throw relay is operated, the USB communication line is connected to the controlled USB interface, meanwhile, the differential detection circuit is used for detecting the connection state of the USB interface, when the USB equipment is pulled out, no data communication is carried out on the communication line, the result of the differential hardware circuit can inform the safety control CPU, and the safety control CPU resets the operation relay to the authorized state so as to wait for the next insertion of the USB equipment.
The main function of the management machine 200 is to manage the wireless electronic locks of all the security management and control modules 100, control the on-off of each USB interface according to the user's needs, provide functions of rights management, interface display, real-time alarm (such as module being plugged and unplugged, time limit expiring), query history, etc., and send notification messages to the user when necessary. The detection module 300 is used for detecting authority again when detecting unauthorized personnel of a user, further detecting the checking authority of the user through an intelligent means, sending detection information to the management machine 200, and controlling the on-off of the internal switch of the safety control module 100 according to the detection information by the management machine 200. Therefore, all USB interfaces of the computer system host can be controlled, the external USB equipment can be used only by being plugged into the designated security control module 100 according to corresponding authorization, and different viewing authorities are granted to users through intelligent judging means, so that the security control of the computer host and the USB interfaces is achieved, and the security of data stored in the computer is ensured.
It should be noted that:
(1) when the external USB device is not connected to the safety control module 100, the physical switch configured in the safety control module 100 is in a disconnected state by default, so that the connection between the USB male port and the USB female port is disconnected, the connection with the monitoring system host is not possible when the USB device is connected before permission is not obtained, and the safety is improved;
(2) before the security management and control module 100 does not receive the command of closing the physical switch of the management machine 200, the physical switch of the security management and control module 100 is kept in an off state, at this time, the external USB device cannot communicate with the host computer, and the security management and control module 100 sends heartbeat message information to the management machine 200 at regular intervals, so that the security management and control module 100 is in a normal working state and is not destroyed or pulled out.
The security management and control module 100 sends heartbeat message information to the supervisor 200 every 3 s.
The heartbeat message is used to monitor the operating state of the machine network memory. The heartbeat message Wen Yici is sent in a UDP broadcast or unicast manner, with the string information indicating the operating state of the network memory. The sending mode and the interval between sending of the heartbeat messages can be set by a user on a control interface of the network memory.
Note that considering the frequency of transmission of the device information as small as possible, periodic transmission can avoid continuously transmitting the frequency-monitored signal to determine the online condition of the device, such as whether the device is pulled out or damaged. Meanwhile, the minimum time for data reading and writing by plugging and unplugging the USB equipment once is considered, and finally, 3 seconds and one frame are the best.
Further, determining whether the user is an authorized person includes:
the camera shooting unit scans the user and the screenshot is sent to the face recognition unit;
the face recognition unit scans the screenshot and recognizes the user;
and comparing the identified user with an authorized person database to judge whether the user is an authorized person.
It should be understood that, in the conventional computer system, an image capturing unit is generally configured, and the image capturing unit is opened by receiving an opening instruction of the management machine 200, so as to observe things in front of the computer.
The program running method for controlling the camera unit to scan the user and sending the screenshot to the facial recognition unit for recognition by the supervisor 200 is as follows:
driver.get_screenshot_as_png()
driver.save_screenshot('file_path')
import pytesseract
from PIL import Image
image=image.open ('screenshot. Png')
code=pytesseract.image_to_string(image)
print(code)。
The face recognition unit performs image recognition on the screenshot through a pytesseact library. Identifying the position and the size of a face from an image, extracting detailed face characteristic data, generating a temporary face ID, comparing the face ID with the characteristic data of each face ID in a database, if the face ID exists in the database, counting the accumulated following time of the face ID, if the face ID does not exist in the database, generating a brand new face ID, storing the brand new face ID in the database, simultaneously recording the detailed characteristic data of the face ID, and recording and storing a screenshot after the image capturing unit scans a screenshot of a user.
Further, if the user is judged to pass the detection by the authorized personnel, the data consulted by the user is tracked and recorded in real time so as to carry out the accurate positioning of responsibility.
Further, if the user is not an authorized person, performing the rights detection again by the detection module 300 includes:
the detection module 300 enables the emotion detection unit to perform emotion detection of the user;
judging whether the emotion of the user is abnormal, if so, closing the viewing authority of all the materials, sending the screenshot of the user to a manager terminal, and if not, allowing to view the non-confidential materials through detection.
When it is recognized that the user is not an authorized person, the emotion detection unit is activated to perform emotion detection of the user through the detection module 300.
According to the emotion recognition method based on face++ Face recognition, emotion recognition refers to analyzing and recognizing various emotions of a Face in a picture and returning confidence scores of the Face on various different emotions, when the confidence score of a certain emotion is higher, the emotion is considered to be closer to the Face, and 7 most important emotions such as anger, aversion, fear, happiness, calm, injury and surprise can be recognized by the face++. The method comprises the following steps: acquiring a set S containing M face images; after the face vector set S is obtained, calculating to obtain an average image ψ; calculating a difference phi between each image and the average image; finding M orthogonal unit vectors un; the face is identified.
The specific detection operation program is as follows:
% training set/test set generation
% random sequence of generated image sequence number
rand_label=randperm(M*N);
direction_label=repmat(1:N,1,M);
% test set
test_label=rand_label(81:end);
P_test=pixel_value(test_label,:)’;
Tc_test=direction_label(test_label);
% creation of LVQ network
for i=1:5
rate{i}=length(find(Tc_train==i))/100;
end
net=newlvq(minmax(P_train),10,cell2mat(rate),0.01,’learnlv1’;
net.trainParam.epochs=1000;
net.trainParam.goal=0.001;
net.trainParam.lr=0.1;
% face recognition
Tc_sim=vec2ind(T_sim);
result=[Tc_test;Tc_sim]。
Preferably, the viewing authority of the confidential material is closed before the detection module 300 enables the emotion detection unit to perform emotion detection of the user. If the emotion detection of the user does not pass the detection after the abnormality, the emotion detection unit detects the emotion change of the user in real time and judges whether the emotion of the user is abnormal in real time.
Because the emotion detection unit is started to carry out emotion detection of a user, objective intelligent detection cannot be carried out accurately, and the intelligent detection unit is used as an advanced detection means, so that the checking authority of confidential information is closed before detection, leakage of the confidential information is prevented, and the safety of the information is further ensured on the basis of the intelligent detection authority. And the emotion detection unit detects emotion change of the user in real time, judges whether the emotion of the user is abnormal in real time, closes the viewing authority of all the materials after the abnormality occurs, and sends screenshot of the user to the terminal of the manager, so that the safety of the materials is ensured.
As shown in the following table 1, the performance comparison table of the present application and the prior art for performing USB interface security management and control by using various firewalls and monitoring software (e.g. using the rayleigh firewall 24.00) is shown:
table 1: performance comparison Table
Simulating two computers with consistent performance, the above data are divided into core data and common data. Computers were installed with the prior art and the application, respectively, and the viewing of the material was performed by 20 persons (10 persons authorized, 10 persons not authorized) within one month, and the unauthorized 10 persons gave instructions to view the material and make additional downloads for simulated theft. As shown in the table, the prior art can be used for 100% connection into a computer, and unauthorized 10 persons can also steal data, and the application can be used for 13 times connection into the computer, wherein 10 times are authorized 10 persons, and the other 3 times are unauthorized three persons, so that the application has obvious advantages in data prevention and control compared with the prior art.
The application establishes a controllable physical isolation switch between the USB interface of the monitoring system host and the external USB equipment, controls whether the safety control module 100 is started or not through the supervisor 200, and when the safety control module 100 is not started, the external USB equipment and the monitoring system host are not in physical connection and cannot be used; only authorized by the supervisor 200 can the security management and control module 100 be enabled, and the external USB device can establish a physical connection with the monitoring system host for use. The security management and control module 100 is installed on the USB interface of the monitoring system host computer to be managed and controlled, when the USB device is accessed, the USB device must be authorized by the management machine 200 to establish physical connection with the monitoring system host computer for use, thus all USB interfaces of the monitoring system can be managed and controlled, and the external USB device must be plugged into the designated security management and control module 100 for use according to the authorization, thereby achieving the security management and control of the computer or USB interface.
Example 2
Referring to fig. 2 and fig. 5 to 11, a first embodiment of a computer USB interface information security protection and control system provided by the present application is: a computer USB interface information security prevention and control system comprises:
the safety control module 100 is in wireless connection with the management machine 200 for communication, and cuts off or connects a power line of the USB interface according to a control instruction of the management machine 200;
the management machine 200 is used for managing all the security management and control modules 100, controlling the on-off of each USB interface according to the user demands, providing functions of authority management, interface display, real-time alarm and history inquiry, and sending notification short messages to the user when necessary;
the detection module 300 is used for detecting the authority again when detecting the unauthorized personnel of the user.
Further, the detection module 300 includes:
the emotion detection unit is used for detecting emotion of a user;
a judging unit for judging whether the emotion of the user is abnormal according to the information detected by the emotion detecting unit;
and the control unit is used for controlling the checking and closing of the data.
The application develops a USB interface management and control module, and the hardware schematic diagram is shown in the following figure 10, and is mainly divided into a CPU, a ZigBee SoC chip, a pair of USB male port and female port, a relay switching circuit, a pull-out detection circuit, an indicator lamp and the like. The CPU adopts STM32 series chips of ST company and LPC series chips of NXP company, and the chips are characterized in that the chips are based on common ARM Cortex-M3/M4 cores, a USB master controller and PHY are built in the chips, so that a small embedded USB host can be conveniently constructed, and the chips can be communicated with USB slave devices such as a USB flash disk and the like; the ZigBee SoC chip can select TI CC2530 or Freescale MC13224 chips, and the chips have the advantages of low power consumption and easy use, can conveniently enable the module to have a ZigBee wireless communication function, and can form a stable wireless network by virtue of the advantages of self-networking, self-healing, multi-hop routing, encryption security and the like of a standard ZigBee protocol; the extraction detection circuit can select TI TUSB2xx series USB conditioner chips, has the functions of arranging waveforms and indicating connection states, or directly uses a differential circuit to match with an FPGA/CPLD to complete USB connection state detection, and has the main functions that a management and control CPU is informed when a user extracts a USB flash disk, the management and control CPU can reset a relay at the moment, and when the next USB flash disk is inserted, the USB flash disk is still communicated with the management and control CPU; the control state of the control CPU on the equipment can be visually indicated to a user through an indicator lamp, for example, when the current control module cannot be inserted by any equipment, the control module can display red color, when one or a plurality of U disks are inserted, the control module can display yellow color, and after the U disk meeting the requirement is inserted, the control module can display green color
Referring to fig. 8, a functional block diagram of the security management and control module 100 is shown. The power supply of the security management and control module 100 takes power from the power supply VBUS installed at the USB interface of the host of the monitoring system. The manager 200 sends or receives information to or from the controller of the security management and control module 100 in a wired or wireless manner, and the controller of the security management and control module 100 receives an instruction from the manager 200 to control the internal switching device to control the physical connection between the USB male port and the USB female port, and further, realize security management and control of access to external USB devices.
Further, the management machine 200 includes:
the communication unit is used for communication and consists of a wireless communication MCU and a USB-to-serial port chip;
the communication management unit is used for running an operating system, providing a software background, realizing the functions of authority management and history record, and the external display arranged on the communication management unit can locally check the functions of alarming and history.
Specifically, referring to fig. 5, a block diagram of a supervisor 200 is shown. The system consists of a communication unit and a general management unit. Referring to fig. 6, the general management unit outsources the main stream manufacturer rack type 1U or 2U management unit (such as the zheng yue TGW101x in the middle department) and runs the operating system, and provides a software background, so that functions of authority management, history record and the like are realized, and the warning and history can be locally checked by an external display. Referring to fig. 7, the communication unit is composed of a wireless communication MCU and a USB to serial chip. The USB-to-serial port chip adopts a common scheme (such as PL2303, etc.), the MCU also adopts a chip with a wireless transceiver, and the MCU is communicated through serial ports, so that the software complexity is simplified. And the management machine 200 is externally connected with a USB wireless communication structure, and an externally connected sucking disc antenna is arranged on the top of the cabinet.
Preferably, the security management module 100 is a wireless electronic lock.
The functions of the wireless electronic lock are mainly two: the power line of the USB interface is cut off or connected according to the control instruction by wireless communication with the centralized management machine, and the structure block diagram is shown in figure 9.
The two ends of the wireless electronic lock are respectively a male and a female, do not participate in or influence the original communication, only control the on-off of the power line, take electricity from the USB female seat of the host computer, and are internally provided with an MCU with a wireless communication function, and can perform wireless communication interaction with the centralized management machine through the on-board antenna.
The security management module 100 includes: a safety control microprocessor (CPU) system, a double-throw relay, a data communication differential detection circuit, a wireless communication module and the like. The safety control CPU can be directly communicated with the inserted USB equipment for presetting authority checking, the communication process mainly reads out the ID of the USB equipment and an authorized secret key stored in the USB equipment, if the ID passes the verification, the double-throw relay is operated, the USB communication line is connected to the controlled USB interface, meanwhile, the differential detection circuit is used for detecting the connection state of the USB interface, when the USB equipment is pulled out, no data communication is carried out on the communication line, the result of the differential hardware circuit can inform the safety control CPU, and the safety control CPU resets the operation relay to the authorized state so as to wait for the next insertion of the USB equipment.
The safety control module 100 is used for establishing a controllable physical isolation switch between a monitoring system host USB interface and an external USB device, and the main function of the management machine 200 is to control the safety control module 100 and receive feedback information, so that a plurality of safety control modules 100 can be managed simultaneously. The security management and control module 100 is installed on a USB interface of a host of the monitoring system, and the USB device is inserted on the USB interface of the security management and control module 100 when the USB device is used. The manager 200 controls whether the safety control module 100 is started or not, and when the safety control module 100 is not started, the external USB equipment and the monitoring system host are not physically connected and cannot be used; only authorized by the supervisor 200 can the security management and control module 100 be enabled, and the external USB device can establish a physical connection with the monitoring system host for use. The security management and control module 100 is installed on the USB interface of the monitoring system host computer to be managed and controlled, when the USB device is accessed, the USB device must be authorized by the management machine 200 to establish physical connection with the monitoring system host computer for use, thus all USB interfaces of the monitoring system can be managed and controlled, and the external USB device must be plugged into the designated security management and control module 100 for use according to the authorization, thereby achieving the security management and control of the computer or USB interface.
It should be appreciated that embodiments of the application may be implemented or realized by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer readable storage medium configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, in accordance with the methods and drawings described in the specific embodiments. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Furthermore, the operations of the processes described herein may be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes (or variations and/or combinations thereof) described herein may be performed under control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications), by hardware, or combinations thereof, collectively executing on one or more processors. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable computing platform, including, but not limited to, a personal computer, mini-computer, mainframe, workstation, network or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and so forth. Aspects of the application may be implemented in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optical read and/or write storage medium, RAM, ROM, etc., such that it is readable by a programmable computer, which when read by a computer, is operable to configure and operate the computer to perform the processes described herein. Further, the machine readable code, or portions thereof, may be transmitted over a wired or wireless network. When such media includes instructions or programs that, in conjunction with a microprocessor or other data processor, implement the steps described above, the application described herein includes these and other different types of non-transitory computer-readable storage media. The application also includes the computer itself when programmed according to the methods and techniques of the present application. The computer program can be applied to the input data to perform the functions described herein, thereby converting the input data to generate output data that is stored to the non-volatile memory. The output information may also be applied to one or more output devices such as a display. In a preferred embodiment of the application, the transformed data represents physical and tangible objects, including specific visual depictions of physical and tangible objects produced on a display.
As used in this disclosure, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, the components may be, but are not limited to: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Furthermore, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above embodiments are only for illustrating the technical solution of the present application and not for limiting the same, and although the present application has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present application may be modified or substituted without departing from the spirit and scope of the technical solution of the present application, which is intended to be covered in the scope of the claims of the present application.
Claims (2)
1. A computer USB interface information security prevention and control method is characterized in that: comprising the steps of (a) a step of,
the external USB equipment is connected to the safety control module (100), and the safety control module (100) sends a connection instruction to the supervisor (200);
the manager (200) receives the connection instruction, controls the computer camera unit to be started, judges whether a user is an authorized person, if so, passes detection, and if not, passes permission detection again through the detection module (300);
the detection information is sent to the management machine (200), the management machine (200) controls the on-off of the internal switch of the safety control module (100) according to the detection information, and the on-off information is sent to the management machine (200);
determining whether the user is an authorized person includes,
the camera shooting unit scans the user and captures a picture and sends the captured picture to the face recognition unit;
the face recognition unit scans the screenshot and recognizes the user;
comparing the identified user with an authorized person database, and judging whether the user is an authorized person or not;
if the user is judged to pass the detection by the authorized personnel, the data which the user refers to is tracked and recorded in real time;
if the user is not an authorized person, performing rights detection again by the detection module (300) includes,
the detection module (300) enables an emotion detection unit to detect emotion of the user;
judging whether the emotion of the user is abnormal, if so, closing the viewing authority of all the materials, sending the screenshot of the user to a manager terminal, and if not, allowing to view non-confidential materials through detection;
closing the viewing authority of confidential materials before the detection module (300) enables the emotion detection unit to detect the emotion of the user;
if the emotion detection of the user does not pass the detection after the abnormality, the emotion detection unit detects the emotion change of the user in real time and judges whether the emotion of the user is abnormal in real time;
the shooting unit scans the screenshot of the user and records and stores the screenshot;
when the external USB device is not connected to the safety control module (100), a physical switch configured in the safety control module (100) is in a disconnected state by default, at the moment, the external USB device cannot communicate with the host computer, and the safety control module (100) sends heartbeat message information to the management machine (200) every 3s, so that the safety control module (100) is in a normal working state.
2. A system employing a computer USB interface information security prevention and control method as defined in claim 1, wherein: the system comprises a safety management and control module, a management machine and a detection module;
the safety control module (100) is in wireless connection with the management machine (200) for communication, and cuts off or connects a power line of the USB interface according to a control instruction of the management machine (200);
the management machine (200) is used for managing all the safety management and control modules (100), controlling the on-off of each USB interface according to the user demand, providing the functions of authority management, interface display, real-time alarm and inquiry history, and sending a notification short message to the user when necessary;
the detection module (300) is used for detecting the authority again when detecting the unauthorized personnel of the user;
the detection module (300) comprises an emotion detection unit, a judgment unit and a control unit;
the emotion detection unit is used for detecting emotion of the user;
the judging unit judges whether the emotion of the user is abnormal according to the information detected by the emotion detecting unit;
the control unit is used for controlling the checking and closing of the data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010420280.7A CN111597520B (en) | 2020-05-18 | 2020-05-18 | Computer USB interface information security prevention and control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010420280.7A CN111597520B (en) | 2020-05-18 | 2020-05-18 | Computer USB interface information security prevention and control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111597520A CN111597520A (en) | 2020-08-28 |
| CN111597520B true CN111597520B (en) | 2023-10-17 |
Family
ID=72191573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010420280.7A Active CN111597520B (en) | 2020-05-18 | 2020-05-18 | Computer USB interface information security prevention and control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111597520B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172999B (en) * | 2021-12-02 | 2023-03-14 | 王颖 | Land is beckoned and is clapped information safety monitoring device |
| CN116405151A (en) * | 2022-04-20 | 2023-07-07 | 许知坚 | Information security intelligent management and control system based on big data |
| CN115221490B (en) * | 2022-09-20 | 2024-02-23 | 陕西天视致远航空技术有限公司 | Port information reinforcement computer and port information reinforcement method thereof |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071876A2 (en) * | 2004-12-29 | 2006-07-06 | Ipifini | Systems and methods for computer aided inventing |
| WO2012111018A1 (en) * | 2011-02-17 | 2012-08-23 | Thozhuvanoor Vellat Lakshmi | Secure tamper proof usb device and the computer implemented method of its operation |
| CN204680024U (en) * | 2015-06-11 | 2015-09-30 | 武汉智亿方科技有限公司 | Computer security based on dynamic human face recognition technology is taken precautions against and early warning system |
| CN106254329A (en) * | 2016-07-30 | 2016-12-21 | 南阳理工学院 | For the method protecting computer network security |
| CN108537072A (en) * | 2017-12-18 | 2018-09-14 | 北京航天控制仪器研究所 | A kind of USB interface-based security system |
| CN108681677A (en) * | 2018-05-14 | 2018-10-19 | 深圳市永达电子信息股份有限公司 | Based on the double net computer methods of USB interface security isolation, apparatus and system |
| CN109299612A (en) * | 2018-08-28 | 2019-02-01 | 视联动力信息技术股份有限公司 | A kind of control method and device of hot-plug equipment |
| CN209785003U (en) * | 2019-06-04 | 2019-12-13 | 山西大学商务学院 | Computer USB interface authority control circuit |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160012465A1 (en) * | 2014-02-08 | 2016-01-14 | Jeffrey A. Sharp | System and method for distributing, receiving, and using funds or credits and apparatus thereof |
| US9681166B2 (en) * | 2014-02-25 | 2017-06-13 | Facebook, Inc. | Techniques for emotion detection and content delivery |
-
2020
- 2020-05-18 CN CN202010420280.7A patent/CN111597520B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071876A2 (en) * | 2004-12-29 | 2006-07-06 | Ipifini | Systems and methods for computer aided inventing |
| WO2012111018A1 (en) * | 2011-02-17 | 2012-08-23 | Thozhuvanoor Vellat Lakshmi | Secure tamper proof usb device and the computer implemented method of its operation |
| CN204680024U (en) * | 2015-06-11 | 2015-09-30 | 武汉智亿方科技有限公司 | Computer security based on dynamic human face recognition technology is taken precautions against and early warning system |
| CN106254329A (en) * | 2016-07-30 | 2016-12-21 | 南阳理工学院 | For the method protecting computer network security |
| CN108537072A (en) * | 2017-12-18 | 2018-09-14 | 北京航天控制仪器研究所 | A kind of USB interface-based security system |
| CN108681677A (en) * | 2018-05-14 | 2018-10-19 | 深圳市永达电子信息股份有限公司 | Based on the double net computer methods of USB interface security isolation, apparatus and system |
| CN109299612A (en) * | 2018-08-28 | 2019-02-01 | 视联动力信息技术股份有限公司 | A kind of control method and device of hot-plug equipment |
| CN209785003U (en) * | 2019-06-04 | 2019-12-13 | 山西大学商务学院 | Computer USB interface authority control circuit |
Non-Patent Citations (3)
| Title |
|---|
| Kun He ; Jing Chen ; Yu Zhang ; Ruiying Du ; Yang Xiang ; Mohammad Mehedi Hassan ; Abdulhameed Alelaiwi.Secure independent-update concise-expression access control for video on demand in cloud.Information Sciences.2017,第387卷全文. * |
| 人脸识别在边检自动通关系统中的应用;陈惠红;刘世明;胡耀民;;信息技术与信息化(第04期);全文 * |
| 利用文档加密技术防止企业知识资产的外泄;陈远;王菲菲;;图书情报知识(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111597520A (en) | 2020-08-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111597520B (en) | Computer USB interface information security prevention and control method and system | |
| RU2601148C1 (en) | System and method for detecting anomalies when connecting devices | |
| CN103559435B (en) | The debugging port controlling method and apparatus of terminal device | |
| CN105718825A (en) | Method and device for detecting malicious USB equipment | |
| CN106503524B (en) | A kind of computer network security guard system | |
| KR20090038189A (en) | Apparatus and method for managing terminal users | |
| CN107798224A (en) | A kind of terminal control method and device, user terminal | |
| CN105844181A (en) | Key instruction processing method and terminal | |
| WO2023169148A1 (en) | External protection device and method for hid keyboard and mouse device protection | |
| CN112272083A (en) | Internet of things terminal safety protection device and method | |
| CN104680055A (en) | Control method for performing management on U disk after access into industrial control system network | |
| CN107918336A (en) | Anti-theft electricity meter box and ammeter box monitoring system | |
| CN110390193A (en) | A kind of personal computer system and control method with portrait dynamic rights authentication function | |
| CN113098980B (en) | Portable safety operation and maintenance system for power monitoring system | |
| CN103824014A (en) | Isolation certificating and monitoring method of USB (universal serial bus) port within local area network | |
| CN213782407U (en) | Network cable port socket with insertion detection function | |
| CN104217177A (en) | One-computer double-network physical isolation double-display computer with switching circuit | |
| CN111212041B (en) | Mobile storage medium illegal external connection alarm system and method | |
| CN111597544B (en) | Intermediate physical isolation method and system applied to USB interface | |
| CN111753340B (en) | USB interface information security prevention and control method and system | |
| CN106951779A (en) | A kind of USB security protection systems for selecting to analyze with equipment behavior based on user | |
| CN203911973U (en) | Expansible network system suitably used for large-scale local area network security | |
| CN211019684U (en) | Network security all-in-one machine equipment | |
| CN111859473A (en) | External terminal protection equipment and protection system based on space detection | |
| CN111898105A (en) | External terminal protection equipment with user tracing function and protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |