CN112492605A

CN112492605A - Network security protection method and system for mobile base station of Internet of things

Info

Publication number: CN112492605A
Application number: CN202011350704.3A
Authority: CN
Inventors: 周亚琴
Original assignee: Individual
Current assignee: Individual
Priority date: 2020-03-31
Filing date: 2020-03-31
Publication date: 2021-03-12
Also published as: CN111432410A; CN111432410B; CN112492604A

Abstract

The embodiment of the invention provides a network security protection method and system of an Internet of things mobile base station, which are characterized in that a security protection unit corresponding to a registration application authority position is determined and is respectively associated to an access verification process of a corresponding registration access item by extracting a preset security protection script of each registration access item in registration access item data relative to a target Internet of things mobile base station, when the target registration access item is to be accessed by an Internet of things verification terminal, a control channel between the Internet of things verification terminal and target Internet of things equipment is requested to be established from the target Internet of things mobile base station, and security protection processing is carried out on control instruction information in the control channel through the corresponding security protection unit. Therefore, network security protection of different registration access projects in the data interaction process can be performed on the mobile base station of the internet of things in a more targeted manner, targeted management with the registration access projects as network security protection objects is achieved, and the security of services of the internet of things is improved.

Description

Network security protection method and system for mobile base station of Internet of things

Technical Field

The invention relates to the technical field of network security protection of the Internet of things, in particular to a network security protection method and system of a mobile base station of the Internet of things.

Background

At present, with the evolution of 5G technology and internet of things technology, internet of things mobile base stations begin to be distributed all over, and in the process of data interaction of the internet of things, great challenges are brought to network security, especially for the problem that access control in the internet of things service is important to solve for the network security of the internet of things, so how to perform network security protection of different registered access items in the data interaction process on the internet of things mobile base stations in a more targeted manner is a technical problem to be solved urgently in the field.

Disclosure of Invention

In order to overcome at least the above disadvantages in the prior art, the present invention aims to provide a network security protection method and system for an internet of things mobile base station, which can perform network security protection on different registered access items of the internet of things mobile base station in a data interaction process in a more targeted manner, and realize targeted management using the registered access items as network security protection objects, thereby improving the security of internet of things services.

In a first aspect, the invention provides a network security protection method for internet of things mobile base stations, which is applied to an internet of things cloud server, wherein the internet of things cloud server is in communication connection with a plurality of internet of things mobile base stations and is in communication connection with an internet of things verification terminal for registering in each internet of things mobile base station, and the method comprises the following steps:

acquiring a registration use request aiming at a target Internet of things mobile base station sent by the Internet of things verification terminal, and acquiring corresponding registration access project data and a registration application authority position from the registration use request;

extracting a preset safety protection script of each registered access item in the registered access item data relative to the target Internet of things mobile base station, determining a safety protection unit corresponding to the registered application authority position according to the preset safety protection script, respectively associating each safety protection unit to an access verification process of a corresponding registered access item, then issuing terminal information of the Internet of things verification terminal to the target Internet of things mobile base station, and enabling the target Internet of things mobile base station to record the terminal information of the Internet of things verification terminal into an authorization terminal sequence corresponding to an equipment control sequence, wherein the equipment control sequence comprises a plurality of Internet of things equipment for controlling the Internet of things verification terminal;

when an access request aiming at a target registration access item corresponding to the target Internet of things mobile base station and sent by the Internet of things verification terminal is received, a control channel between the Internet of things verification terminal and target Internet of things equipment corresponding to the access request is requested to be established from the target Internet of things mobile base station, and safety protection processing is carried out on control instruction information in the control channel through a safety protection unit in an access verification process of the target registration access item.

In a possible implementation manner of the first aspect, the step of obtaining a registration use request for a target internet of things mobile base station sent by the internet of things verification terminal, and obtaining corresponding registration access item data and a registration application authority position from the registration use request includes:

sending an internet of things mobile base station list in a target area requested by the internet of things verification terminal to the internet of things verification terminal;

acquiring a target Internet of things mobile base station determined by the Internet of things verification terminal from the Internet of things mobile base station list, and sending a registration access item selection list and a registration application authority position selection list of the target Internet of things mobile base station to the Internet of things verification terminal;

and acquiring a registration use request sent by the Internet of things verification terminal after the selection operation is carried out on the registration access item selection list and the registration application authority position selection list, and acquiring corresponding registration access item data and a registration application authority position from the registration use request.

In a possible implementation manner of the first aspect, the step of extracting a preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station, and determining a security protection unit corresponding to the registered application permission position according to the preset security protection script includes:

extracting a preset safety protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station from a preset safety protection script library of the target internet of things mobile base station;

determining the authority protocol range of the registered application authority position in an authority protocol layer according to the preset safety protection script;

and determining a safety protection unit corresponding to the registered application authority position according to the authority protocol range and the authority position of each authority protocol node in the authority protocol layer.

In a possible implementation manner of the first aspect, the step of determining, according to the authority protocol range and the authority position of each authority protocol node in the authority protocol layer, a security protection unit corresponding to the authority position of the registered application includes:

acquiring registered access item data pre-bound by each authority protocol node in the authority protocol layer, and judging whether the registered access item data pre-bound by each authority protocol node comprises access item characteristic information matched with a protocol response component in the authority protocol range;

when the registered access item data pre-bound by each authority protocol node does not include the access item characteristic information matched with the protocol response component of the authority protocol range, determining a plurality of pieces of registered access item data matched with the protocol response component of the authority protocol range as a plurality of pieces of target registered access item data;

acquiring the authority position of each target registration access item data in the target registration access item data, sequentially splicing the target registration access item data according to the sequence of the authority positions of the target registration access item data, and determining an updated registration access item sequence;

and determining a target security protection unit of the registered access item data in the authority protocol layer according to the updated registered access item sequence and the authority protocol range.

In a possible implementation manner of the first aspect, the step of obtaining the registered access item data pre-bound by each authority protocol node in the authority protocol layer, and determining whether the registered access item data pre-bound by each authority protocol node includes access item feature information matched with the protocol response component in the authority protocol range includes:

acquiring registered access item data pre-bound by each authority protocol node in the authority protocol layer, and acquiring protection protocol data of at least one set protection protocol in the registered access item data pre-bound by each authority protocol node;

grouping protection protocol data with set protection protocols according to different set protection protocols to obtain a plurality of first protection protocol data feature groups, wherein the first protection protocol data feature groups are a set of protection protocol data containing the same set protection protocol, and the set protection protocols corresponding to each first protection protocol data feature group are different;

determining target protection protocol data characteristics existing in the protection protocol data of each first protection protocol data characteristic group according to the protocol response component of the authority protocol range to obtain a plurality of second protection protocol data characteristic groups;

judging whether the authority protocol range of each set protection protocol in the plurality of second protection protocol data feature groups is larger than the authority protocol range;

if the authority protocol range of each set protection protocol in the plurality of second protection protocol data feature groups is larger than the authority protocol range, judging that the registered access item data pre-bound by each authority protocol node comprises access item feature information matched with a protocol response component in the authority protocol range;

and if the authority protocol range of each set protection protocol in the plurality of second protection protocol data characteristic groups is not larger than the authority protocol range, judging that the registered access item data pre-bound by each authority protocol node does not include access item characteristic information matched with the protocol response component in the authority protocol range.

In a possible implementation manner of the first aspect, the step of determining, according to the updated sequence of the registered access item and the authority protocol range, a target security protection unit of the registered access item data in the authority protocol layer includes:

determining registered access item data in a preset protection type interval corresponding to the target Internet of things mobile base station according to the updated registered access item sequence and the authority protocol range;

and determining a target security protection unit of the registered access item data in the authority protocol layer according to the registered access item data of the mobile base station of the internet of things in a preset protection type interval.

In a possible implementation manner of the first aspect, the step of determining, according to the registered access item data of the internet of things mobile base station in the preset protection type interval, the target security protection unit of the registered access item data in the authority protocol layer includes determining the target security protection unit of the registered access item data in the authority protocol layer, where the target security protection unit includes a first access point and a second access point, and the first access point and the second access point are

Obtaining safety protection units of authority protocol layers corresponding to a plurality of protection configuration nodes of the mobile base station of the Internet of things in the preset protection type interval;

for the safety protection unit of the preset protection type interval of the authority protocol layer corresponding to each protection configuration node, determining a safety protection unit meeting preset conditions to be processed from the currently unmarked safety protection units of the preset protection type interval of the protection configuration node, and using the safety protection unit as a to-be-marked safety protection unit to be detected;

determining protection instance parameters of the undetermined safety protection units in the protocol environment of the authority protocol layer, or until no unmarked safety protection unit exists in the safety protection units in the preset protection type interval, wherein the process of determining the protection instance parameters of each undetermined safety protection unit in the protocol environment of the authority protocol layer is as follows:

determining protection instance parameters of the undetermined safety protection unit on the protocol environment of the authority protocol layer based on the protection level of the undetermined safety protection unit in the protection configuration node, the first protection instance parameter, determined by the safety protection unit in the protocol environment, of the authority protocol layer, and the second protection instance parameter, determined by the safety protection unit in other protection configuration nodes and the protocol environment which are the same as the protocol environment, of the authority protocol layer, of the safety protection configuration node, wherein the other protection configuration nodes are as follows: the protection configuration nodes except the protection configuration node where the undetermined safety protection unit is located in the obtained protection configuration nodes, wherein the protection instance parameters of the undetermined safety protection unit in the protocol environment of the authority protocol layer are protection instance parameters obtained after fusion parameters of the first protection instance parameters and the protection instance parameters are fused based on the fusion parameters corresponding to the protection levels;

determining an associated protection configuration parameter of a current protection configuration node according to a protection configuration script and a protection instance parameter of the current protection configuration node in the preset protection type interval, wherein the preset protection type interval corresponds to a plurality of protection configuration nodes, and the current protection configuration node is any one of the plurality of protection configuration nodes;

performing association protection configuration on the registered access project data according to the association protection configuration parameters of the current protection configuration node to obtain association protection configuration information;

according to the associated protection configuration information, counting performance dimension information including the current registration access project data, total associated protection configuration parameters of the current protection configuration node and protection performance information of the current protection configuration node;

determining the associated protection configuration parameters of the next protection configuration node adjacent to the current protection configuration node in the preset protection type interval according to the protection label of the current protection configuration node, the preset associated protection configuration parameters and the protection performance information, so as to determine the protection protocol data of the next adjacent protection configuration node by calculating the associated protection configuration parameters of the next adjacent protection configuration node;

and determining a target security protection unit of the registered access item data in the authority protocol layer by accumulating a protection instruction set formed by the protection protocol data of each determined protection configuration node, wherein the target security protection unit comprises the protection instruction set.

In a possible implementation manner of the first aspect, the step of determining, according to the guard tag of the current guard configuration node, a preset associated guard configuration parameter, and the guard performance information, an associated guard configuration parameter of a next guard configuration node adjacent to the current guard configuration node in the preset guard type interval includes:

acquiring a set protection grade of a protection configuration node sequence in the preset protection type interval, and determining the set protection grade of the protection configuration node sequence in the preset protection type interval as the set protection grade of the current protection configuration node;

calculating a weighted protection grade of the current protection configuration node according to the protection label of the current protection configuration node and the set protection grade of the current protection configuration node, wherein the weighted protection grade is obtained by multiplying the set protection grade by a coefficient corresponding to the protection label;

acquiring the actual protection performance intensity of the preset protection type interval protection configuration node sequence, and updating the actual protection performance intensity of the preset protection type interval protection configuration node sequence by calculation according to the balance protection grade of the current protection configuration node, the preset associated protection configuration parameter of the current protection configuration node and the actual protection performance intensity of the preset protection type interval protection configuration node sequence;

calculating the target protection performance intensity of the preset protection type interval protection configuration node sequence according to the updated actual protection performance intensity, the preset initial protection performance intensity, the initial protection configuration node of the protection configuration node sequence of the preset protection type interval and the tail protection configuration node of the protection configuration node sequence of the preset protection type interval;

calculating protection associated parameters according to the actual protection performance intensity of the preset protection type interval protection configuration node sequence, the preset initial protection performance intensity, the initial protection configuration node of the preset protection type interval protection configuration node sequence and the tail protection configuration node of the preset protection type interval protection configuration node sequence;

according to the target protection performance intensity of the preset protection type interval protection configuration node sequence, the actual protection performance intensity of the preset protection type interval protection configuration node sequence and the protection correlation parameter, after the target protection performance intensity of the protection configuration node sequence of the next adjacent protection configuration node in the preset protection type interval is obtained through calculation, the performance control parameter of the next adjacent protection configuration node in the preset protection type interval is determined;

and obtaining the associated protection configuration parameters of the next protection configuration node adjacent to the current protection configuration node in the preset protection type interval through weighting calculation of respective corresponding weighting parameters according to the performance control parameters, the target protection performance intensity of the protection configuration node sequence of the next adjacent protection configuration node in the preset protection type interval and the protection associated parameters.

In a possible implementation manner of the first aspect, the step of performing, by a security protection unit in an access verification process of the target registered access item, security protection processing on control instruction information in the control channel includes:

identifying control instruction information in the control channel, and acquiring access verification information corresponding to an access verification request when identifying that the control instruction information is associated with the access verification request;

and after the access verification information passes verification, performing security protection on the control instruction information in the control channel through a security protection unit in an access verification process of the target registered access item.

In a second aspect, an embodiment of the present invention further provides a network security protection device for internet of things mobile base stations, which is applied to an internet of things cloud server, where the internet of things cloud server is in communication connection with a plurality of internet of things mobile base stations and is in communication connection with an internet of things verification terminal for registering in each internet of things mobile base station, and the device includes:

the acquisition module is used for acquiring a registration use request aiming at a target Internet of things mobile base station sent by the Internet of things verification terminal and acquiring corresponding registration access project data and a registration application authority position from the registration use request;

an extraction module, configured to extract a preset security protection script of each registered access item in the registered access item data, relative to the target internet of things mobile base station, determine a security protection unit corresponding to the registered application permission position according to the preset security protection script, and after associating each security protection unit with an access verification process of a corresponding registered access item, issue terminal information of the internet of things verification terminal to the target internet of things mobile base station and enable the target internet of things mobile base station to record the terminal information of the internet of things verification terminal into an authorized terminal sequence corresponding to an equipment control sequence, where the equipment control sequence includes multiple pieces of internet of things equipment for control of the internet of things verification terminal;

the protection module is used for requesting the target Internet of things mobile base station to establish a control channel between the Internet of things verification terminal and target Internet of things equipment corresponding to the access request when receiving the access request aiming at the target registration access item corresponding to the target Internet of things mobile base station sent by the Internet of things verification terminal, and carrying out safety protection processing on control instruction information in the control channel through a safety protection unit in an access verification process of the target registration access item.

In a third aspect, an embodiment of the present invention further provides a network security protection system for an internet of things mobile base station, where the network security protection system for the internet of things mobile base station includes an internet of things cloud server and a plurality of internet of things mobile base stations in communication connection with the internet of things cloud server, and the internet of things cloud server is also in communication connection with an internet of things verification terminal for registering in each internet of things mobile base station;

the internet of things verification terminal is used for sending a registration use request aiming at a target internet of things mobile base station to the internet of things cloud server;

the Internet of things cloud server is used for acquiring a registration use request aiming at a target Internet of things mobile base station sent by the Internet of things verification terminal, and acquiring corresponding registration access project data and a registration application authority position from the registration use request;

the internet of things cloud server is used for extracting a preset safety protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station, determining a safety protection unit corresponding to the registered application authority position according to the preset safety protection script, associating each safety protection unit with an access verification process of a corresponding registered access item, issuing terminal information of the internet of things verification terminal to the target internet of things mobile base station, and enabling the target internet of things mobile base station to record the terminal information of the internet of things verification terminal into an authorized terminal sequence corresponding to an equipment control sequence, wherein the equipment control sequence comprises a plurality of internet of things equipment for controlling the internet of things verification terminal;

the internet of things cloud server is used for requesting the target internet of things mobile base station to establish a control channel between the internet of things verification terminal and target internet of things equipment corresponding to the access request when receiving the access request aiming at a target registration access item corresponding to the target internet of things mobile base station and sent by the internet of things verification terminal, and carrying out safety protection processing on control instruction information in the control channel through a safety protection unit in an access verification process of the target registration access item.

In a fourth aspect, an embodiment of the present invention further provides an internet of things cloud server, where the internet of things cloud server includes a processor, a machine-readable storage medium, and a network interface, where the machine-readable storage medium, the network interface, and the processor are connected through a bus system, the network interface is configured to be in communication connection with at least one internet of things mobile base station, the machine-readable storage medium is configured to store a program, an instruction, or a code, and the processor is configured to execute the program, the instruction, or the code in the machine-readable storage medium, so as to execute the network security protection method for the internet of things mobile base station in any one of the first aspect or possible designs of the first aspect.

In a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed, the computer is caused to execute the network security protection method for the mobile base station of the internet of things in the first aspect or any one of the possible designs of the first aspect.

Based on any one of the above aspects, the preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station is extracted, so that the security protection unit corresponding to the registered application authority position is determined and is respectively associated to the access verification process of the corresponding registered access item, when the target registered access item is to be accessed by the internet of things verification terminal, a control channel between the internet of things verification terminal and the target internet of things equipment is requested to be established from the target internet of things mobile base station, and the security protection processing is performed on the control instruction information in the control channel through the corresponding security protection unit. Therefore, network security protection of different registration access projects in the data interaction process can be performed on the mobile base station of the internet of things in a more targeted manner, targeted management with the registration access projects as network security protection objects is achieved, and the security of services of the internet of things is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

Fig. 1 is a schematic view of an application scenario of a network security protection system of an internet of things mobile base station according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of a network security protection method for a mobile base station of the internet of things according to an embodiment of the present invention;

fig. 3 is a functional module schematic diagram of a network security protection device of a mobile base station of the internet of things according to an embodiment of the present invention;

fig. 4 is a block diagram illustrating a structure of a server for implementing the network security protection method for the mobile base station of the internet of things according to the embodiment of the present invention.

Detailed Description

The present invention is described in detail below with reference to the drawings, and the detailed operation method in the following method embodiments can also be applied to the device embodiments or the system embodiments.

Fig. 1 is an interaction schematic diagram of a network security protection system 10 of a mobile base station of the internet of things according to an embodiment of the present invention. The network security protection system 10 of the internet of things mobile base station may include an internet of things cloud server 100, and a plurality of internet of things mobile base stations 300 (only two are shown in fig. 1) communicatively connected to the internet of things cloud server 100, and the internet of things cloud server 100 is further communicatively connected to internet of things authentication terminals 300 (only two are shown in fig. 1) for registering in each internet of things mobile base station 300. The network security protection system 10 of the internet of things mobile base station shown in fig. 1 is only one possible example, and in other possible embodiments, the network security protection system 10 of the internet of things mobile base station may also include only a part of the components shown in fig. 1 or may also include other components.

In this embodiment, the internet of things mobile base station 300 may be configured to provide a control channel between the internet of things authentication terminal 300 and related internet of things devices in a certain area range, so as to facilitate implementation of regional-level internet of things device management.

In this embodiment, the internet of things authentication terminal 300 may include a mobile device, a tablet computer, a laptop computer, or any combination thereof. In some embodiments, the mobile device may include a smart home device, a wearable device, a smart mobile device, a virtual reality device, an augmented reality device, or the like, or any combination thereof. In some embodiments, the smart home devices may include control devices of smart electrical devices, smart monitoring devices, smart televisions, smart cameras, and the like, or any combination thereof. In some embodiments, the wearable device may include a smart bracelet, a smart lace, smart glass, a smart helmet, a smart watch, a smart garment, a smart backpack, a smart accessory, or the like, or any combination thereof. In some embodiments, the smart mobile device may include a smartphone, a personal digital assistant, a gaming device, and the like, or any combination thereof. In some embodiments, the virtual reality device and/or the augmented reality device may include a virtual reality helmet, virtual reality glass, a virtual reality patch, an augmented reality helmet, augmented reality glass, an augmented reality patch, or the like, or any combination thereof. For example, the virtual reality device and/or augmented reality device may include various virtual reality products and the like.

In this embodiment, the internet of things cloud server 100, the internet of things mobile base station 300, and the internet of things authentication terminal 300 in the network security protection system 10 of the internet of things mobile base station may execute the network security protection method of the internet of things mobile base station described in the following method embodiment in a matching manner, and the specific execution steps of the internet of things cloud server 100, the internet of things mobile base station 300, and the internet of things authentication terminal 300 may refer to the detailed description of the following method embodiment.

In order to solve the technical problem in the foregoing background, fig. 2 is a schematic flow chart of a network security protection method of an internet of things mobile base station according to an embodiment of the present invention, where the network security protection method of the internet of things mobile base station according to the embodiment may be executed by the internet of things cloud server 100 shown in fig. 1, and the network security protection method of the internet of things mobile base station is described in detail below.

Step S110, a registration use request for the target internet of things mobile base station sent by the internet of things verification terminal 200 is obtained, and corresponding registration access item data and registration application authority position are obtained from the registration use request.

Step S120, extracting a preset safety protection script of each registered access item in the registered access item data relative to the target Internet of things mobile base station, determining a safety protection unit corresponding to the registered application authority position according to the preset safety protection script, respectively associating each safety protection unit to an access verification process of the corresponding registered access item, then issuing terminal information of the Internet of things verification terminal 200 to the target Internet of things mobile base station, and enabling the target Internet of things mobile base station to record the terminal information of the Internet of things verification terminal 200 into an authorized terminal sequence corresponding to the equipment control sequence.

Step S130, when receiving an access request for a target registration access item corresponding to the target internet of things mobile base station sent by the internet of things authentication terminal 200, requesting the target internet of things mobile base station to establish a control channel between the internet of things authentication terminal 200 and a target internet of things device corresponding to the access request, and performing security protection processing on control instruction information in the control channel through a security protection unit in an access authentication process of the target registration access item.

In this embodiment, the internet of things verification terminal 200 may select a certain target internet of things mobile base station to request the internet of things cloud server 100 to perform registration, and during the process of requesting registration, it is necessary to select related registration access item data and registration application authority position. The registered access item data may be used to represent a specific situation of a registered access item selected by the internet of things authentication terminal 200, and the registered access item may refer to an item related to an internet of things device, such as a control item of an intelligent medical device, a data display item, or a rendering item of a virtual reality device, and is not limited in detail herein. The registered application permission location may refer to a location node corresponding to a specific application permission type, such as a data reading permission type, a data control permission type, a data writing permission type, and the like, which is not specifically limited herein.

In this embodiment, the device control sequence may include a plurality of internet of things devices, such as a virtual reality device, an augmented reality device, and a smart medical terminal, which are controlled by the internet of things verification terminal 200.

Based on the above steps, in this embodiment, by extracting the preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station, the security protection unit corresponding to the registered application permission position is determined and is to be respectively associated with the access verification process of the corresponding registered access item, when the target registered access item is to be accessed by the internet of things verification terminal 200, a request is made to the target internet of things mobile base station to establish a control channel between the internet of things verification terminal 200 and the target internet of things device, and the security protection processing is performed on the control instruction information in the control channel through the corresponding security protection unit. Therefore, network security protection of different registered access projects in the data interaction process can be performed on the mobile base station 300 of the internet of things more specifically, targeted management with the registered access projects as network security protection objects is achieved, and the security of services of the internet of things is improved.

In a possible implementation manner, for step S110, internet of things mobile base stations 300 in different areas may be bound in advance in the internet of things cloud server 100, so that the internet of things mobile base station 300 list in the target area requested by the internet of things verification terminal 200 may be sent to the internet of things verification terminal 200. On this basis, the target internet of things mobile base station determined by the internet of things verification terminal 200 from the internet of things mobile base station 300 list can be obtained, and the registration access item selection list and the registration application authority position selection list of the target internet of things mobile base station are sent to the internet of things verification terminal 200. Next, a registration use request sent after the internet of things authentication terminal 200 performs a selection operation on the registration access item selection list and the registration application authority position selection list is obtained, and corresponding registration access item data and a registration application authority position are obtained from the registration use request.

For example, assuming that the internet of things mobile base station list in the target area requested by the internet of things authentication terminal 200 sent to the internet of things authentication terminal 200 includes an internet of things mobile base station a, an internet of things mobile base station B, an internet of things mobile base station C, and an internet of things mobile base station D, if the target internet of things authentication terminal 200 selected by the internet of things authentication terminal 200 is the internet of things mobile base station C, the registration access item selection list and the registration application authority location selection list of the internet of things mobile base station C are sent to the internet of things authentication terminal 200.

In a possible implementation manner, for step S120, in the network security protection process, the embodiment may specifically determine the security protection unit based on an authority protocol layer, where the authority protocol layer may refer to a set formed by related authority protocol nodes for authority control management in the network protocol layer.

On this basis, in the embodiment, the preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station can be extracted from the preset security protection script library of the target internet of things mobile base station, and then the authority protocol range of the registered application authority position in the authority protocol layer is determined according to the preset security protection script, so that the security protection unit corresponding to the registered application authority position can be determined according to the authority protocol range and the authority position of each authority protocol node in the authority protocol layer.

For example, in a possible implementation manner, in the process of determining to register a security protection unit corresponding to an application authority position according to an authority protocol range and an authority position of each authority protocol node in an authority protocol layer, the embodiment may specifically obtain registered access item data pre-bound by each authority protocol node in the authority protocol layer, and determine whether the registered access item data pre-bound by each authority protocol node includes access item feature information matched with a protocol response component in the authority protocol range.

Illustratively, registered access item data pre-bound by each authority protocol node in the authority protocol layer may be acquired, at least one protection protocol data of a set protection protocol is present in the registered access item data pre-bound by each authority protocol node, and then the protection protocol data of the set protection protocol is grouped according to different set protection protocols to obtain a plurality of first protection protocol data feature groups. It should be understood that the first protection protocol data feature group is a set of protection protocol data containing the same set protection protocol, and the set protection protocol corresponding to each first protection protocol data feature group is different.

Then, the target protection protocol data characteristics existing in the protection protocol data of each first protection protocol data characteristic group can be determined according to the protocol response component of the authority protocol range, a plurality of second protection protocol data characteristic groups are obtained, and whether the authority protocol range of each set protection protocol in the plurality of second protection protocol data characteristic groups is larger than the authority protocol range is judged. And if the authority protocol range of each set protection protocol in the plurality of second protection protocol data characteristic groups is larger than the authority protocol range, judging that the registered access item data pre-bound by each authority protocol node comprises access item characteristic information matched with the protocol response component of the authority protocol range. And if the authority protocol range of each set protection protocol in the plurality of second protection protocol data characteristic groups is not larger than the authority protocol range, judging that the registered access item data pre-bound by each authority protocol node does not include the access item characteristic information matched with the protocol response component of the authority protocol range.

Wherein, the protocol response component may refer to a component function that performs a guard function in a protocol response process.

In this case, when the access item feature information matching the protocol response component of the authority protocol range is not included in the registered access item data previously bound by each authority protocol node, a plurality of pieces of registered access item data including a matching of the protocol response component of the authority protocol range may be determined as a plurality of pieces of target registered access item data.

Then, the authority position of each target registration access item data in the plurality of target registration access item data can be obtained, the plurality of target registration access item data are sequentially spliced according to the sequence of the authority positions of each target registration access item data, and the updated registration access item sequence is determined, so that the target security protection unit of the registration access item data in the authority protocol layer can be determined according to the updated registration access item sequence and the authority protocol range.

For example, in one possible example, the registered access item data in the preset protection type interval corresponding to the target internet of things mobile base station may be determined according to the updated registered access item sequence and the authority protocol range, and then the target security protection unit of the registered access item data in the authority protocol layer may be determined according to the registered access item data of the internet of things mobile base station 300 in the preset protection type interval.

For example, in an alternative implementation manner, firstly, the security protection units of the authority protocol layers corresponding to the multiple protection configuration nodes of the internet of things mobile base station 300 in the preset protection type interval may be obtained, and for the security protection units of the preset protection type interval of the authority protocol layer corresponding to each protection configuration node, the security protection unit meeting the preset condition to be processed is determined from the currently unmarked security protection units of the preset protection type interval of the protection configuration node, and is used as the pending security protection unit to be marked.

And then, determining protection instance parameters of the safety protection unit to be determined on the protocol environment of the authority protocol layer, or until no unmarked safety protection unit exists in the safety protection units in the preset protection type interval.

It should be noted that, the process of determining the protection instance parameter of each pending security protection unit in the protocol environment of the authority protocol layer is as follows:

firstly, the protection instance parameter of the undetermined safety protection unit on the protocol environment of the authority protocol layer is determined based on the protection level of the undetermined safety protection unit in the protection configuration node, the first protection instance parameter of the safety protection unit in the protocol environment, which is determined on the protocol environment of the authority protocol layer, and the second protection instance parameter of the safety protection unit in other protection configuration nodes, which is the same protocol environment as the protocol environment, which is determined on the protocol environment of the authority protocol layer. Wherein, the other protection configuration nodes may be: and obtaining protection configuration nodes except the protection configuration node where the undetermined safety protection unit is located in the obtained protection configuration nodes, wherein the protection instance parameters of the undetermined safety protection unit in the protocol environment of the authority protocol layer are protection instance parameters obtained after fusion parameters of the first protection instance parameters and the protection instance parameters are fused based on the fusion parameters corresponding to the protection grades.

In this embodiment, the protocol environment may refer to an operating system environment running with the authority protocol layer, and the protection instance parameter may refer to an instance call function specifically executed in the protection process.

On this basis, the associated protection configuration parameters of the current protection configuration node may be determined according to the protection configuration script and the protection instance parameters of the current protection configuration node in the preset protection type interval, where the preset protection type interval corresponds to a plurality of protection configuration nodes, and the current protection configuration node is any one of the plurality of protection configuration nodes.

And then, performing associated protection configuration on the registered access item data according to the associated protection configuration parameters of the current protection configuration node to obtain associated protection configuration information, and counting performance dimension information including the current registered access item data, total associated protection configuration parameters of the current protection configuration node and protection performance information of the current protection configuration node according to the associated protection configuration information.

Then, the associated protection configuration parameters of the next protection configuration node adjacent to the current protection configuration node in the preset protection type interval can be determined according to the protection label of the current protection configuration node, the preset associated protection configuration parameters and the protection performance information, so that the protection protocol data of the next adjacent protection configuration node is determined by calculating the associated protection configuration parameters of the next adjacent protection configuration node.

For example, in one possible example, the set protection level of the protection configuration node sequence in the preset protection type interval may be obtained, the set protection level of the protection configuration node sequence in the preset protection type interval is determined as the set protection level of the current protection configuration node, and then the weighted protection level of the current protection configuration node is obtained by calculation according to the protection label of the current protection configuration node and the set protection level of the current protection configuration node, where the weighted protection level may be obtained by multiplying the set protection level by a coefficient corresponding to the protection label.

Then, the actual protection performance intensity of the preset protection type interval protection configuration node sequence is obtained, and the actual protection performance intensity of the preset protection type interval protection configuration node sequence is updated through calculation according to the balance protection level of the current protection configuration node, the preset associated protection configuration parameter of the current protection configuration node and the actual protection performance intensity of the preset protection type interval protection configuration node sequence. Then, the target protection performance strength of the preset protection type interval protection configuration node sequence may be calculated according to the updated actual protection performance strength, the preset initial protection performance strength, the initial protection configuration node of the protection configuration node sequence of the preset protection type interval, and the tail protection configuration node of the protection configuration node sequence of the preset protection type interval. Then, a protection correlation parameter may be calculated according to the actual protection performance intensity of the preset protection type interval protection configuration node sequence, the preset initial protection performance intensity, the initial protection configuration node of the preset protection type interval protection configuration node sequence, and the last protection configuration node of the preset protection type interval protection configuration node sequence.

Therefore, after the target protection performance strength of the protection configuration node sequence of the next adjacent protection configuration node in the preset protection type interval is calculated and obtained according to the target protection performance strength of the protection configuration node sequence of the preset protection type interval, the actual protection performance strength of the protection configuration node sequence of the preset protection type interval and the protection associated parameters, determining the performance control parameter of the next adjacent protection configuration node in the preset protection type interval, thereby according to the performance control parameter, the target protection performance intensity and the protection associated parameter of the protection configuration node sequence of the adjacent next protection configuration node in the preset protection type interval, and obtaining the associated protection configuration parameters of the next adjacent protection configuration node of the current protection configuration node in the preset protection type interval through the weighted calculation of the respective corresponding weighted parameters.

In this way, a target security protection unit of the registered access item data in the authority protocol layer can be determined by accumulating the protection instruction set formed by the protection protocol data of each determined protection configuration node, and the target security protection unit includes the protection instruction set.

In a possible implementation manner, for step S130, the present embodiment may identify control instruction information in the control channel, obtain access authentication information corresponding to the access authentication request when it is identified that the access authentication request is associated in the control instruction information, and perform security protection on the control instruction information in the control channel through a security protection unit in an access authentication process of a target registered access item after the access authentication information is authenticated.

For example, the access verification information may be verification information in a living body monitoring process, for example, a face image data stream of each continuous time node of a target acquisition area acquired by the internet of things verification terminal 200 when a face verification instruction is detected in a preset time period may be specifically acquired, then each suspected living body area corresponding to the target acquisition area is determined according to the face image data stream of each continuous time node, and for each suspected living body area, associated suspected living body areas having relevance to the current suspected living body area are respectively determined from the face image data streams of the remaining time nodes. On the basis, face verification can be performed according to each suspected living area and the associated suspected living area which is associated with each suspected living area, and after the verification is passed, the control instruction information in the control channel can be subjected to safety protection through a safety protection unit in an access verification process of the target registration access item.

In a possible implementation manner, the internet of things verification terminal 200 may collect, when a face verification instruction is detected after various internet of things services (for example, services such as smart home control, smart medical linkage, smart city data retrieval linkage, and the like) are enabled, a face image data stream of each continuous time node in a preset time period in a target collection area. The target acquisition region may be a region that can be acquired by the internet of things verification terminal 200, and the preset time period may be flexibly set according to different internet of things service requirements, for example, 5 seconds may be set as a preset time period. Each time node may refer to a specific time, or may refer to a sub-time period within the preset time period, which is not limited herein.

In one possible implementation, the suspected living area may be understood as an area that needs to be subjected to living examination, and an area outside the suspected living area may be obviously determined as a non-living area in general.

In a possible implementation manner, in order to improve the accuracy of each suspected living body area in the determination process and reduce the identification error, the present embodiment further considers dynamic changes that may occur in the spectral reflection process, for example, the present embodiment may determine, according to the face image data stream of each successive time node, light reflection dynamic change information including light reflection characteristic information of the target acquisition area, and determine, in the light reflection dynamic change information, first dynamic change information having a first light reflection characteristic and second dynamic change information having a second light reflection characteristic.

The first light reflection characteristic may be used to represent a light reflection characteristic having a light reflection intensity greater than a first preset intensity, and the second light reflection characteristic may be used to represent a light reflection characteristic having a light reflection intensity less than a second preset intensity. It should be noted that the first preset intensity and the second preset intensity may be the same or different, and may be flexibly set, and when the first preset intensity and the second preset intensity are not the same, the second preset intensity is smaller than the first preset intensity.

Next, in the light reflection characteristics of the light reflection dynamic change information corresponding to the face position of the target collection area, the light reflection characteristics of key points of the face position are determined, and the interval size of a first dynamic change pixel value interval on the first dynamic change information and the interval size of a second dynamic change pixel value interval on the second dynamic change information are obtained.

And if the interval size of the first dynamic change pixel value interval and the interval size of the second dynamic change pixel value interval are both larger than or equal to the set length, comparing the interval size of the first dynamic change pixel value interval with the interval size of the second dynamic change pixel value interval, and if the interval size of the first dynamic change pixel value interval is larger than the interval size of the second dynamic change pixel value interval, taking the first dynamic change pixel value interval as a suspected living pixel value interval.

Or, if the interval size of the second dynamic change pixel value interval is larger than the interval size of the first dynamic change pixel value interval, the second dynamic change pixel value interval is used as the suspected living body pixel value interval.

Or, if the interval size of the first dynamically changing pixel value interval is equal to the interval size of the second dynamically changing pixel value interval, the first dynamically changing pixel value interval or the second dynamically changing pixel value interval is used as the suspected living pixel value interval.

Therefore, the area which is matched with each suspected living body pixel value interval and is matched with the light reflection characteristics of the key points of the human face position can be determined as the suspected living body area to be determined, the light reflection dynamic change information is segmented into a plurality of pieces of segmentation dynamic change information according to the determined suspected living body area to be determined, and the suspected living body area meeting the conditions is determined as the suspected living body area corresponding to the target acquisition area according to the relation between the change range and the preset range of each piece of segmentation dynamic change information.

For example, in one possible example, when the variation range of each piece of segmentation dynamic variation information is in a preset range, it may be determined that the suspected living body area to be determined satisfies the condition, otherwise, it is determined that the suspected living body area to be determined does not satisfy the condition.

In a possible implementation manner, in order to facilitate accurate acquisition of a relevant suspected living area having a relevance with a current suspected living area, for each suspected living area, at least one local feature group of the suspected living area may be acquired, and each local feature group in the at least one local feature group is analyzed to acquire a key feature point included in each local feature group.

It should be noted that the local feature group may be used to represent each local feature point of the suspected living body area and face part information corresponding to each local feature point, such as an eye part, a nose part, a lip part, and the like.

On the basis, the feature point change value, the feature point depth value and the feature point color value of each key feature point in the corresponding time period are obtained.

It should be noted that the feature point variation value may be used to describe a feature point variation value of each key feature point, the feature point depth value may be used to describe a feature point depth value of each key feature point, and the feature point color value may be used to describe a feature point color value of each key feature point.

Therefore, the feature point change value, the feature point depth value and the feature point color value of each key feature point in the corresponding time period can be mapped and associated and then combined, so that a feature value mapping sequence corresponding to each key feature point is obtained. It is understood that the merged feature value mapping sequence may be used to represent the correspondence between the feature point change value, the feature point depth value, and the feature point color value of each key feature point in the corresponding time period.

And finally, respectively determining the associated suspected living body areas which are associated with the current suspected living body area from the face image data streams of the remaining time nodes according to the feature value mapping sequence corresponding to each key feature point.

For example, a region having a matching relationship with the feature value mapping sequence corresponding to each key feature point may be searched from the face image data stream of the remaining time nodes, as an associated suspected living body region having an association with the current suspected living body region.

In a possible implementation manner, in the process of performing security protection on the control instruction information in the control channel by the security protection unit in the access verification process of the target registered access item, specifically, control instruction feature identification is performed on the control instruction information in the control channel on each security protection node in each security protection unit to determine whether there is a risk in the relevant code information in each control instruction, and if there is a risk, the relevant code information is deleted.

Fig. 3 is a schematic functional module diagram of a network security protection device 400 of an internet of things mobile base station according to an embodiment of the present invention, in this embodiment, functional modules of the network security protection device 400 of the internet of things mobile base station may be divided according to a method embodiment executed by the internet of things cloud server 100, that is, the following functional modules corresponding to the network security protection device 400 of the internet of things mobile base station may be used to execute each method embodiment executed by the internet of things cloud server 100. The network security protection device 400 of the internet of things mobile base station may include an obtaining module 410, an extracting module 420, and a protecting module 430, and the functions of the functional modules of the network security protection device 400 of the internet of things mobile base station are described in detail below.

The obtaining module 410 is configured to obtain a registration use request for the target internet of things mobile base station sent by the internet of things verifying terminal 200, and obtain corresponding registration access item data and a registration application authority position from the registration use request. The obtaining module 410 may be configured to perform the step S110, and the detailed implementation of the obtaining module 410 may refer to the detailed description of the step S110.

The extracting module 420 is configured to extract a preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station, determine a security protection unit corresponding to the registered application permission position according to the preset security protection script, associate each security protection unit with an access verification process of the corresponding registered access item, issue terminal information of the internet of things verification terminal 200 to the target internet of things mobile base station, and enable the target internet of things mobile base station to record the terminal information of the internet of things verification terminal 200 into an authorized terminal sequence corresponding to an equipment control sequence, where the equipment control sequence includes a plurality of internet of things devices that can be controlled by the internet of things verification terminal 200. The extracting module 420 may be configured to perform the step S120, and the detailed implementation of the extracting module 420 may refer to the detailed description of the step S120.

The protection module 430 is configured to, when receiving an access request for a target registration access item corresponding to a target internet of things mobile base station and sent by the internet of things authentication terminal 200, request the target internet of things mobile base station to establish a control channel between the internet of things authentication terminal 200 and a target internet of things device corresponding to the access request, and perform security protection processing on control instruction information in the control channel through a security protection unit in an access authentication process of the target registration access item. The protection module 430 may be configured to perform the step S130, and the detailed implementation manner of the protection module 430 may refer to the detailed description of the step S130.

Further, fig. 4 is a schematic structural diagram of an internet of things cloud server 100 for executing the network security protection method of the internet of things mobile base station according to the embodiment of the present invention. As shown in fig. 4, the internet of things cloud server 100 may include a network interface 110, a machine-readable storage medium 120, a processor 130, and a bus 140. The processor 130 may be one or more, and one processor 130 is illustrated in fig. 4 as an example. The network interface 110, the machine-readable storage medium 120, and the processor 130 may be connected by a bus 140 or otherwise, as exemplified by the connection by the bus 140 in fig. 4.

The machine-readable storage medium 120 is a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the network security protection method of the internet of things mobile base station in the embodiment of the present invention (for example, the obtaining module 410, the extracting module 420, and the protecting module 430 of the network security protection apparatus 400 of the internet of things mobile base station shown in fig. 3). The processor 130 executes various functional applications and data processing of the terminal device by detecting the software program, the instructions and the modules stored in the machine-readable storage medium 120, that is, the network security protection method of the mobile base station of the internet of things is implemented, and details are not described herein again.

The machine-readable storage medium 120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the machine-readable storage medium 120 may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.

The processor 130 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 130.

The internet of things cloud server 100 can perform information interaction with other devices (such as the internet of things verification red light 200 and the internet of things mobile base station 300) through the network interface 110. Network interface 110 may be a circuit, bus, transceiver, or any other device that may be used to exchange information. Processor 130 may send and receive information using network interface 110.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not necessarily depart from the spirit and scope of the corresponding technical solutions.

Claims

1. The network security protection method of the mobile base stations of the Internet of things is applied to a cloud server of the Internet of things, the cloud server of the Internet of things is in communication connection with a plurality of mobile base stations of the Internet of things and is in communication connection with an Internet of things verification terminal used for registering in each mobile base station of the Internet of things, and the method comprises the following steps:

when an access request aiming at a target registration access item corresponding to the target Internet of things mobile base station and sent by the Internet of things verification terminal is received, requesting the target Internet of things mobile base station to establish a control channel between the Internet of things verification terminal and target Internet of things equipment corresponding to the access request, and performing security protection processing on control instruction information in the control channel through a security protection unit in an access verification process of the target registration access item;

the registered access item data is used for representing the specific situation of the registered access item selected by the Internet of things verification terminal, the registered access item refers to an item related to Internet of things equipment, and the item related to the Internet of things equipment comprises a control item and a data display item of intelligent medical equipment or a rendering item of virtual reality equipment; the registered application authority position refers to a position node corresponding to a specific application authority type, and the authority type comprises a data reading authority type, a data control authority type and a data writing authority type.

2. The network security protection method for the internet of things mobile base station according to claim 1, wherein the step of obtaining the registration use request for the target internet of things mobile base station sent by the internet of things verification terminal and obtaining the corresponding registration access item data and the registration application authority position from the registration use request includes:

3. The network security protection method of the internet of things mobile base station according to claim 1, wherein the step of extracting a preset security protection script of each registered access item in the registered access item data relative to the target internet of things mobile base station, and determining a security protection unit corresponding to the registered application authority position according to the preset security protection script comprises the steps of:

4. The network security protection method of the internet of things mobile base station according to claim 3, wherein the step of determining the security protection unit corresponding to the registration application authority position according to the authority protocol range and the authority position of each authority protocol node in the authority protocol layer comprises:

5. The network security protection method of the internet of things mobile base station according to claim 4, wherein the step of obtaining the pre-bound registered access item data of each authority protocol node in the authority protocol layer and judging whether the pre-bound registered access item data of each authority protocol node includes access item feature information matched with the protocol response component of the authority protocol range includes:

6. The network security protection method of the internet of things mobile base station according to claim 4, wherein the step of determining the target security protection unit of the registered access item data in the authority protocol layer according to the updated registered access item sequence and the authority protocol range includes:

7. The network security protection method of the internet of things mobile base station as claimed in claim 6, wherein the step of determining the target security protection unit of the registered access item data in the authority protocol layer according to the registered access item data of the internet of things mobile base station in a preset protection type interval comprises

8. The network security protection method for the internet of things mobile base station according to claim 6, wherein the step of determining the associated protection configuration parameter of the next protection configuration node adjacent to the current protection configuration node in the preset protection type interval according to the protection label of the current protection configuration node, the preset associated protection configuration parameter, and the protection performance information includes:

9. The network security protection method for the internet of things mobile base station according to any one of claims 1 to 8, wherein the step of performing security protection processing on the control instruction information in the control channel through a security protection unit in an access verification process of the target registered access item includes:

10. The network security protection system of the mobile base stations of the Internet of things is characterized by comprising an Internet of things cloud server and a plurality of Internet of things mobile base stations in communication connection with the Internet of things cloud server, wherein the Internet of things cloud server is also in communication connection with an Internet of things verification terminal for registering in each Internet of things mobile base station;

the internet of things cloud server is used for requesting the target internet of things mobile base station to establish a control channel between the internet of things verification terminal and target internet of things equipment corresponding to the access request when receiving the access request which is sent by the internet of things verification terminal and aims at the target registration access item corresponding to the target internet of things mobile base station, and carrying out security protection processing on control instruction information in the control channel through a security protection unit in an access verification process of the target registration access item;