CN109347880A - A kind of safety protecting method, apparatus and system - Google Patents
A kind of safety protecting method, apparatus and system Download PDFInfo
- Publication number
- CN109347880A CN109347880A CN201811459368.9A CN201811459368A CN109347880A CN 109347880 A CN109347880 A CN 109347880A CN 201811459368 A CN201811459368 A CN 201811459368A CN 109347880 A CN109347880 A CN 109347880A
- Authority
- CN
- China
- Prior art keywords
- internet
- things equipment
- flow
- feature
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of safety protecting methods, apparatus and system, the described method includes: security server receives the real-time traffic information for the internet of things equipment that security gateway is sent, according to the flow information at internet of things equipment each moment described in the current detection period, determine that the internet of things equipment current detection period corresponds to the object feature value of preset flow feature;Judge whether the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period is less than deviation threshold, wherein the predicted characteristics value is to correspond to each history feature value and the determination of preset prediction algorithm of the preset flow feature according to the history detection cycle for setting quantity before the current detection period;If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, the flow for making the security gateway block the internet of things equipment is transmitted.A kind of security protection scheme is provided, to protect the safety of internet of things equipment.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of safety protecting methods, apparatus and system.
Background technique
Internet of Things (Internet of Things, IOT) be after computer, internet development, Informatization Development
Third wave.Internet of Things refers to the agreement according to agreement, and article and disparate networks are connected, and carries out information exchange and leads to
Letter, to realize a kind of network of Weigh sensor, positioning, tracking, monitoring and management.Internet of Things will realize object and object, people and object
Extensive " networking ", the internet of things era network and the daily life of people will more closely.With the development object of technology of Internet of things
Application of the networked devices in fields such as industrial manufacture, smart homes increases, live for people's production and life bring it is huge just
Benefit.
On the Internet of Things gradually shifted however as big numerous generals' sight, the safety of internet of things equipment itself is also come from
Malicious attacker is coveted, since internet of things equipment type is more, exposure extensively, so that internet of things equipment is extremely fragile, it is easy to
It is found loophole and utilized by attacker, internet of things equipment is caused illegally to be manipulated, the experience decline of user, or even there are some objects
The significant data of networked devices is modified, and causes internet of things equipment failure and serious safety accident, therefore be badly in need of a kind of safety
Safety of the protectiving scheme to protect internet of things equipment.
Summary of the invention
The present invention provides a kind of safety protecting method, apparatus and system, to protect the safety of internet of things equipment.
In a first aspect, being applied to security server the invention discloses a kind of safety protecting method, which comprises
The real-time traffic information for receiving the internet of things equipment that security gateway is sent, according to the Internet of Things in the current detection period
The flow information at net equipment each moment determines that the internet of things equipment current detection period corresponds to the target of preset flow feature
Characteristic value;
Judge the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period
Whether value is less than deviation threshold, wherein the predicted characteristics value is according to the history for setting quantity before the current detection period
Detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm determine;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Optionally, the flow information according to internet of things equipment each moment described in the current detection period, determines institute
Before stating the object feature value that the internet of things equipment current detection period corresponds to preset flow feature, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list,
Wherein the IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine
's;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, if the predicted characteristics of the object feature value preset flow feature corresponding with the current detection period
The difference of value is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved
In corresponding traffic characteristic set and IP and/or set of domains;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, the flow information according to internet of things equipment each moment described in the current detection period, determines institute
Before stating the object feature value that the internet of things equipment current detection period corresponds to preset flow feature, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes institute
State IP, the domain name, at least one of uniform resource position mark URL of internet of things equipment access;
According to the link information and preset threat information engine, by being linked described in the threat information engine queries
Whether information is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
Second aspect, the invention discloses a kind of safety protecting methods, are applied to security gateway, which comprises
The real-time traffic of internet of things equipment connecting with itself is sent to security server, make the security server according to
The flow information at internet of things equipment each moment, determines the internet of things equipment current detection period in the current detection period
The object feature value of corresponding preset flow feature;
The blocking for receiving the blocking internet of things equipment flow transmission that the security server is sent instructs, described in blocking
The flow of internet of things equipment transmits;Wherein, the blocking instruction is that the security server determines the object feature value and works as
Preceding detection cycle corresponds to the difference of the predicted characteristics value of the preset flow feature not less than sending after deviation threshold, described pre-
Surveying characteristic value is to correspond to the preset flow feature according to the history detection cycle for setting quantity before the current detection period
Each history feature value and preset prediction algorithm determine.
Optionally, the method also includes:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain to the security server
Name.
Optionally, the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
Optionally, the device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model
With the matching relationship collection of the matching relationship of equipment feature, the device model of the internet of things equipment is determined.Optionally, the method
Further include:
The link information for identifying the internet of things equipment sends the link information, the chain to the security server
Meet at least one of the IP, domain name, uniform resource position mark URL that information includes the internet of things equipment access.
The third aspect, the invention discloses a kind of safety devices, are applied to security server, which comprises
Determining module is received, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current
The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding
The object feature value of preset flow feature;
Judgment module, for judging the pre- of the object feature value preset flow feature corresponding with the current detection period
Whether the difference for surveying characteristic value is less than deviation threshold, wherein the predicted characteristics value was set before according to the current detection period
The history detection cycle of fixed number amount corresponds to each history feature value of the preset flow feature and preset prediction algorithm determines
's;If it is judged that being no, triggering indicating module;
Indicating module, for sending the blocking for blocking the internet of things equipment flow to transmit instruction to the security gateway,
The flow for making the security gateway block the internet of things equipment transmits.
Optionally, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Optionally, described device further include:
Judgment module is received, for receiving IP and/or the domain of the internet of things equipment access that the security gateway is sent
Name;Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein
The IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine;Such as
Fruit judging result is yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
Optionally, the reception judgment module, if being also used to object feature value institute corresponding with the current detection period
The difference for stating the predicted characteristics value of preset flow feature is less than deviation threshold, receives the Internet of Things that the security gateway is sent
The device model of equipment;Judge the target flow characteristic value and the IP and/or domain name, if set described in pre-save
In the standby corresponding traffic characteristic set of model and IP and/or set of domains;If it is judged that being no, triggering indicating module.
Optionally, described device further include:
Enquiry module is received, for receiving the link information for the internet of things equipment that the security gateway is sent, wherein
The link information includes at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL;Root
According to the link information and preset threat information engine, by link information described in the threat information engine queries whether be
Malicious link information;If query result is yes, triggering reception determining module, if query result is no, triggering indicating module.
Fourth aspect, the invention discloses a kind of safety devices, are applied to security gateway, and described device includes:
Sending module makes described for sending the real-time traffic for the internet of things equipment connecting with itself to security server
Security server determines that the Internet of Things is set according to the flow information at internet of things equipment each moment described in the current detection period
The standby current detection period corresponds to the object feature value of preset flow feature;
Receiving processing module, what the blocking internet of things equipment flow for receiving the security server transmission transmitted
Instruction is blocked, the flow of the internet of things equipment is blocked to transmit;Wherein, the blocking instruction determines institute for the security server
Object feature value is stated with the difference of the predicted characteristics value of the current detection period corresponding preset flow feature not less than deviation threshold
It is sent after value, the predicted characteristics value is corresponding according to the history detection cycle for setting quantity before the current detection period
What each history feature value of the preset flow feature and preset prediction algorithm determined.
Optionally, described device further include:
Sending module is identified, for identification the IP and/or domain name of the internet of things equipment access, to the security server
Send the IP and/or domain name.
Optionally, the identification sending module, is also used to identify the device model of the internet of things equipment, to the safety
Server sends the device model.
Optionally, the identification sending module, specifically for obtaining the equipment feature of the internet of things equipment, according to described
The matching relationship collection of equipment feature and the matching relationship comprising device model and equipment feature pre-saved, determines the Internet of Things
The device model of net equipment.
Optionally, the identification sending module, is also used to identify the link information of the internet of things equipment, to the safety
Server sends the link information, and the link information includes that the IP of the internet of things equipment access, domain name, unified resource are fixed
At least one of position symbol URL.
5th aspect, name of the present invention disclose a kind of security protection system, the system comprises: it include above-mentioned security protection
The security server of device and at least one include security gateway and at least one and the peace of above-mentioned safety device
The internet of things equipment of full gateway connection.
Since in embodiments of the present invention, security server sets number before the current detection period according to internet of things equipment
The history detection cycle of amount correspond to preset flow feature each history feature value and preset prediction algorithm, determine Internet of Things
Equipment corresponds to the predicted characteristics value of preset flow feature, so that it is determined that internet of things equipment normally performed activity baseline, in security service
Device detects that the difference for the object feature value and predicted characteristics value that the internet of things equipment current detection period corresponds to preset flow feature surpasses
Deviation threshold is crossed, when deviateing normally performed activity baseline, the blocking for blocking internet of things equipment flow to transmit is sent to security gateway and refers to
It enables, so that security gateway is blocked the flow transmission of internet of things equipment, provide a kind of security protection scheme for protecting internet of things equipment.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 2 is a kind of IP and/or domain name white list determination process schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 4 is a kind of function structure schematic diagram of security server provided in an embodiment of the present invention;
Fig. 5 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 6 is a kind of device model identification process schematic diagram provided in an embodiment of the present invention;
Fig. 7 is a kind of function structure schematic diagram of security gateway provided in an embodiment of the present invention;
Fig. 8 is a kind of security gateway work flow diagram provided in an embodiment of the present invention;
Fig. 9 is a kind of safety device provided in an embodiment of the present invention;
Figure 10 is a kind of safety device provided in an embodiment of the present invention;
Figure 11 is a kind of security protection system provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, make below in conjunction with the attached drawing present invention into one
Step ground detailed description, it is clear that described embodiment is only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
Every other embodiment, shall fall within the protection scope of the present invention.
It is to be appreciated that in the description of the present application, "and/or" describes the incidence relation of affiliated partner, and expression can be with
There are three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three feelings of individualism B
Condition.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".It is a variety of involved in the application, refer to two kinds
Or it is two or more.
Embodiment 1:
Fig. 1 is a kind of security protection process schematic provided in an embodiment of the present invention, which includes:
S101: the real-time traffic information for the internet of things equipment that security gateway is sent is received, according to institute in the current detection period
The flow information for stating internet of things equipment each moment determines that the internet of things equipment current detection period corresponds to preset flow feature
Object feature value.
Safety protecting method provided in an embodiment of the present invention, is applied to security server, and the security server can also be with
It is the security server cluster that more security servers are constituted or the security platform etc. that more security servers are constituted, at this
In inventive embodiments with security server exist communication connection security gateway can have one, can also have it is multiple, with safety
Gateway connection internet of things equipment can have one, can also have it is multiple, in embodiments of the present invention, to be deposited with security server
It is illustrated for a certain security gateway of communication connection, a certain internet of things equipment being connect with the security gateway.
Unlike the terminal traffics such as traditional computer or mobile phone, the business scenario of internet of things equipment is relatively fixed, object
There are periodic features for the heartbeat data of networked devices transmission or business datum etc., and the heartbeat data or business number sent
According to content have the characteristics that relatively fixed, the present embodiment is intended to send heartbeat data or business datum by internet of things equipment
These characteristics carry out security protection to internet of things equipment.
Specifically, security gateway can send the reality for the internet of things equipment connecting with security gateway to security server in real time
When flow information, preferably, security gateway can also be according to detection cycle identical with security server, in the statistic mixed-state period
The real-time traffic information of internet of things equipment is believed according to detection cycle to the real-time traffic that security server sends internet of things equipment
Breath, wherein the detection cycle can be 1min, 3min, 5min etc..Security server receives the Internet of Things that security gateway is sent
The real-time traffic information of equipment determines Internet of Things according to the flow information at each moment of internet of things equipment in the current detection period
The net equipment current detection period corresponds to the object feature value of preset flow feature, wherein the preset flow feature includes sending number
According at least one of the period of packet, the peak flow for sending data packet, in embodiments of the present invention according to the stream at each moment
Measure information, determine that the period for sending data packet and the traffic characteristics such as peak flow for sending data packet are the prior arts, no longer into
Row repeats.
S102: judge the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period
Difference whether be less than deviation threshold, if it is, terminate, if not, carry out S103.
S103: the blocking instruction for blocking the internet of things equipment flow to transmit is sent to the security gateway, makes the peace
Full gateway blocks the flow of the internet of things equipment to transmit.
In embodiments of the present invention, the predicted characteristics value is to set going through for quantity before according to the current detection period
History detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm determine.
Prediction algorithm, such as time series algorithm are preset in security server, specifically, security server, for
The current detection period, according to the every of the corresponding preset flow feature of history detection cycle for setting quantity before the current detection period
A history feature value determines the predicted characteristics of current detection period corresponding preset flow feature using preset prediction algorithm
Value.Illustratively, the current detection period is the 9th detection cycle, set quantity as 5, preset prediction algorithm is that time series is calculated
Method, then security server is according to the 4th detection cycle, the 5th detection cycle, the 6th detection cycle, the 7th detection cycle and the 8th detection week
Phase respectively corresponds the history feature value of preset flow feature, using time series algorithm, determines the corresponding default stream of the 9th detection cycle
The predicted characteristics value of measure feature.
In addition, it is necessary to explanation, preset flow feature can be one in embodiments of the present invention, or more
It is a, if preset flow feature be it is multiple, can be directed to each preset flow feature, deviation threshold be respectively set, if safety
It is default not less than this that server determines that there are the differences of the corresponding object feature value of any preset flow feature and predicted characteristics value
When the corresponding deviation threshold of traffic characteristic, it is determined that internet of things equipment exists abnormal, sends to security gateway and Internet of Things is blocked to set
The blocking instruction of standby flow transmission, security gateway block the flow transmission of internet of things equipment.
In addition, security server is judging that the internet of things equipment current detection period corresponds to the target signature of preset flow feature
When being worth the difference of the predicted characteristics value of preset flow feature corresponding with the current detection period not less than deviation threshold, it can be sent out
Warning information prompts administrative staff, and exception occurs in internet of things equipment, preferably, may be used also when security server issues warning information
To show the identification information for abnormal internet of things equipment occur, such as title, facilitate knowing for administrative staff.
Since in embodiments of the present invention, security server is according to internet of things equipment each moment in the current detection period
Flow information determines that the internet of things equipment current detection period corresponds to the object feature value of preset flow feature, and in target signature
It is worth each history feature of preset flow feature corresponding with according to the history detection cycle of quantity is set before the current detection period
When the difference for the predicted characteristics value that value and preset prediction algorithm determine is not less than deviation threshold, blocker is sent to security gateway
The blocking instruction of networked devices flow transmission makes security gateway block the flow transmission of internet of things equipment, so that setting in Internet of Things
When standby Traffic Anomaly, the flow of internet of things equipment is blocked to transmit, provides a kind of security protection scheme for protecting internet of things equipment.
Embodiment 2:
It is different from the terminals such as traditional computer or mobile phone, the destination address of internet of things equipment access is relatively fixed, can be with
It enumerates, it is on the basis of the above embodiments, in embodiments of the present invention, described in order to further increase the effect of security protection
According to the flow information at internet of things equipment each moment described in the current detection period, the internet of things equipment current detection is determined
Before period corresponds to the object feature value of preset flow feature, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list,
Wherein the IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine
's;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
Specifically, security gateway can be used the information in the data packet that flow collection tool sends internet of things equipment into
Row acquisition, such as obtains source IP, the destination IP, source port, destination port, application protocol, company of the data packet that internet of things equipment is sent
The information such as the case where connecing time, domain name system (Domain Name System, DNS) request, the URL of access, transmission data packet,
Specifically, destination IP and DNS request of the security gateway according to internet of things equipment, determine the IP and domain name of internet of things equipment access,
And the IP of internet of things equipment access and/or domain name are sent to security server.
The corresponding IP of each internet of things equipment and/or domain name white list are pre-saved in security server, such as Fig. 2 institute
Show, before carrying out security protection, IP that security gateway accesses when working normally each internet of things equipment for a period of time and/or
Domain name is sent to security server, and security server was accessed by the way of machine learning for each internet of things equipment
History IP and/or history domain name are counted, and the corresponding IP and/or domain name white list of each internet of things equipment are calculated.
When carrying out security protection, security server receive security gateway transmission internet of things equipment access IP and/
Or domain name, identify internet of things equipment access whether is recorded in the corresponding IP of the internet of things equipment and/or domain name white list
IP and/or domain name, if it is, illustrating that internet of things equipment access is normal, if it is not, then illustrating that internet of things equipment access is different
Often, security server issues warning information, and the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway,
The flow for making security gateway block the internet of things equipment transmits.
Embodiment 3:
There is abnormal access or is attacked in single internet of things equipment in order to prevent, is mistaken as normally, in above-mentioned each implementation
On the basis of example, in embodiments of the present invention, if the object feature value preset flow corresponding with the current detection period
The difference of the predicted characteristics value of feature is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved
In corresponding traffic characteristic set and IP and/or set of domains;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
In this law embodiment, the internet of things equipment that every kind of device model is also pre-saved in security server is corresponding
Traffic characteristic set and IP and/or set of domains.Security server uses machine learning algorithm, is directed to each equipment type in advance
Number, in normal work, multiple detections of corresponding preset flow feature are all for multiple internet of things equipment corresponding to the device model
The traffic characteristic value of phase is counted, and determines the corresponding traffic characteristic set of the device model;And it is corresponding to the device model
In normal work, the multiple IP and/or domain name of access are counted multiple internet of things equipment, determine that the device model is corresponding
IP and/or set of domains.
Specifically, judging the Internet of Things after the device model for the internet of things equipment that security server reception security gateway is sent
The corresponding target flow characteristic value of net equipment current period and the IP and/or domain name of access, if in the equipment pre-saved
In the corresponding traffic characteristic set of model and IP and/or set of domains, if it is, illustrating that the internet of things equipment meets the equipment
Otherwise the behavioural characteristic of the internet of things equipment of model then illustrates that the internet of things equipment does not meet the Internet of Things of the device model and sets
Standby behavioural characteristic sends the blocking instruction for blocking the internet of things equipment flow to transmit to security gateway, blocks security gateway
The flow of the internet of things equipment transmits.
Embodiment 4:
In order to further increase the effect of security protection, on the basis of the various embodiments described above, in embodiments of the present invention,
The flow information according to internet of things equipment each moment described in the current detection period, determines that the internet of things equipment is current
Before detection cycle corresponds to the object feature value of preset flow feature, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes institute
State the IP of internet of things equipment access, domain name, in uniform resource locator (Uniform Resource Locator, URL) extremely
Few one kind;
According to the link information and preset threat information engine, by being linked described in the threat information engine queries
Whether information is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described
Security gateway blocks the flow of the internet of things equipment to transmit.
In embodiments of the present invention, security server can also be indexed by third-party threat information and be held up, to Internet of Things
Equipment is judged with the presence or absence of abnormal, specifically, as shown in figure 3, security gateway sends the link information of internet of things equipment
To security server, the link information includes IP, domain name, the URL etc. of access, and security server is sent according to security gateway
Link information is inquired whether the link information is malicious link information, is connect by the preset api interface for threatening information engine
Receive threaten information engine queries described in link information whether be malicious link information query result, if the link information quilt
Labeled as there are problems that prestige, be linked to order and control server (command and control server, CNC) or
When being directly marked as malicious link information, determine that link information is malicious link information, if the link of internet of things equipment
Information is malicious link information, and security server thinks the internet of things equipment there are risk, and security server issues warning information,
And the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway, so that security gateway is blocked the internet of things equipment
Flow transmission.
Fig. 4 is a kind of function structure schematic diagram of security server provided in an embodiment of the present invention, as shown in figure 4, safety
Server includes anomaly analysis unit, threatens information query unit, device management unit, security gateway data receipt unit, number
According to storage unit, flow analysis unit etc..Security gateway data receipt unit is mainly used for receiving the Internet of Things that security gateway is sent
The data of net equipment, such as flow information, link information, and the data storage value data for receiving internet of things equipment are stored into list
Member;Data storage cell, data, processing log of security server of the internet of things equipment for sending to security gateway etc. count
According to storage;Flow analysis unit is mainly used for analyzing the flow information that security gateway is sent, predicts internet of things equipment
Traffic characteristic;Information query unit is threatened, for requesting inquiry is known to threaten information search engine, obtains internet of things equipment
Link information whether be malicious link;Unusual checking unit, for internet of things equipment with the presence or absence of abnormal behaviour into
Row detection, such as the traffic characteristic and the IP of access, domain name of equipment are detected, and issue and accuse in internet of things equipment exception
It is alert;Device management unit provides administration portal for manager and user, to the Internet of Things directly or indirectly connecting with security server
The account management (dashboard) etc. of net equipment progress visualized management security gateway.
Embodiment 5:
Fig. 5 is a kind of security protection process schematic provided in an embodiment of the present invention, which includes:
S501: the real-time traffic for the internet of things equipment connecting with itself is sent to security server, makes the security service
Device determines that the internet of things equipment is currently examined according to the flow information at internet of things equipment each moment described in the current detection period
The survey period corresponds to the object feature value of preset flow feature.
Specifically, security gateway can send the reality for the internet of things equipment connecting with security gateway to security server in real time
When flow information, preferably, security gateway can also be according to detection cycle identical with security server, in the statistic mixed-state period
The real-time traffic information of internet of things equipment is believed according to detection cycle to the real-time traffic that security server sends internet of things equipment
Breath, wherein the detection cycle can be 1min, 3min, 5min etc..Security server receives the Internet of Things that security gateway is sent
The real-time traffic information of equipment determines Internet of Things according to the flow information at each moment of internet of things equipment in the current detection period
The net equipment current detection period corresponds to the object feature value of preset flow feature, wherein the preset flow feature includes sending number
According at least one of the period of packet, the peak flow for sending data packet, in embodiments of the present invention according to the stream at each moment
Measure information, determine that the period for sending data packet and the traffic characteristics such as peak flow for sending data packet are the prior arts, no longer into
Row repeats.
S502: the blocking instruction for the blocking internet of things equipment flow transmission that the security server is sent, resistance are received
Break the internet of things equipment flow transmission.
Wherein, the blocking instruction is that the security server determines that the object feature value is corresponding with the current detection period
For the difference of the predicted characteristics value of the preset flow feature not less than what is sent after deviation threshold, the predicted characteristics value is basis
The history detection cycle that quantity is set before the current detection period corresponds to each history feature of the preset flow feature
What value and preset prediction algorithm determined.
Prediction algorithm, such as time series algorithm are preset in security server, specifically, security server, for
The current detection period, according to the every of the corresponding preset flow feature of history detection cycle for setting quantity before the current detection period
A history feature value determines the predicted characteristics of current detection period corresponding preset flow feature using preset prediction algorithm
Value.Illustratively, the current detection period is the 9th detection cycle, set quantity as 5, preset prediction algorithm is that time series is calculated
Method, then security server is according to the 4th detection cycle, the 5th detection cycle, the 6th detection cycle, the 7th detection cycle and the 8th detection week
Phase respectively corresponds the history feature value of preset flow feature, using time series algorithm, determines the corresponding default stream of the 9th detection cycle
The predicted characteristics value of measure feature.
In addition, it is necessary to explanation, preset flow feature can be one in embodiments of the present invention, or more
It is a, if preset flow feature be it is multiple, can be directed to each preset flow feature, deviation threshold be respectively set, if safety
It is default not less than this that server determines that there are the differences of the corresponding object feature value of any preset flow feature and predicted characteristics value
When the corresponding deviation threshold of traffic characteristic, it is determined that internet of things equipment exists abnormal, sends to security gateway and Internet of Things is blocked to set
The blocking instruction of standby flow transmission, after security gateway receives the blocking instruction for blocking the transmission of internet of things equipment flow, blocker
The flow of networked devices transmits.
Embodiment 6:
It is different from the terminals such as traditional computer or mobile phone, the destination address of internet of things equipment access is relatively fixed, can be with
It enumerates, it is on the basis of the above embodiments, in embodiments of the present invention, described in order to further increase the effect of security protection
Method further include:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain to the security server
Name.
Specifically, security gateway can be used the information in the data packet that flow collection tool sends internet of things equipment into
Row acquisition, such as obtains source IP, the destination IP, source port, destination port, application protocol, company of the data packet that internet of things equipment is sent
The information such as the case where connecing time, domain name system (Domain Name System, DNS) request, the URL of access, transmission data packet,
Specifically, destination IP and DNS request of the security gateway according to internet of things equipment, determine the IP and domain name of internet of things equipment access,
And the IP of internet of things equipment access and/or domain name are sent to security server.
Security server receives the IP and/or domain name of the internet of things equipment access of security gateway transmission, identifies the Internet of Things
The IP and/or domain name that the internet of things equipment accesses whether are recorded in the corresponding IP of net equipment and/or domain name white list, if
It is then to illustrate that internet of things equipment access is normal, if it is not, then illustrating the internet of things equipment access exception, security server is sent out
Warning information out, and the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway, block security gateway
The flow of the internet of things equipment transmits.
Embodiment 7:
There is abnormal access or is attacked in single internet of things equipment in order to prevent, is mistaken as normally, in above-mentioned each implementation
On the basis of example, in embodiments of the present invention, the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
The corresponding traffic characteristic set of internet of things equipment of every kind of device model is also pre-saved in security server
And IP and/or set of domains.Security server uses machine learning algorithm, each device model is directed in advance, to the equipment type
Number corresponding multiple internet of things equipment in normal work, the traffic characteristic value of multiple detection cycles of corresponding preset flow feature
It is counted, determines the corresponding traffic characteristic set of the device model;And to the corresponding multiple internet of things equipment of the device model
In normal work, multiple IP of access and/or domain name are counted, and determine the corresponding IP of the device model and/or domain name collection
It closes.
Specifically, security gateway can be read directly the device model information of internet of things equipment, and by device model information
It is sent to security server and judges the object after security server receives the device model for the internet of things equipment that security gateway is sent
The corresponding target flow characteristic value of networked devices current period and the IP and/or domain name of access, if pre-save this set
In the standby corresponding traffic characteristic set of model and IP and/or set of domains, if it is, illustrating that the internet of things equipment meets this and sets
Otherwise the behavioural characteristic of the internet of things equipment of standby model then illustrates that the internet of things equipment does not meet the Internet of Things of the device model
The behavioural characteristic of equipment sends the blocking instruction for blocking the internet of things equipment flow to transmit to security gateway, hinders security gateway
Break the internet of things equipment flow transmission.
In addition, the accuracy in order to guarantee the device model identification to internet of things equipment, the identification Internet of Things are set
Standby device model includes:
The device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model
With the matching relationship collection of the matching relationship of equipment feature, the device model of the internet of things equipment is determined.In the embodiment of the present invention
The equipment feature of middle internet of things equipment includes Hostname, media intervention control layer of the internet of things equipment in networking process
One of the address (Media Access Control, MAC), the domain name of access, payload (payload) etc. are a variety of.
In embodiments of the present invention, it has been pre-saved in security gateway special comprising known every kind of device model and equipment
The matching relationship collection of the matching relationship of sign.After internet of things equipment accesses security gateway, security gateway identifies the internet of things equipment
Equipment feature, and pass through the matching relationship of matching relationship concentrating equipment model and equipment feature, determining and internet of things equipment
The equipment matched.
Preferably, as shown in fig. 6, accessing security gateway, after establishing connection with security gateway, safety net in internet of things equipment
It closes, acquires the data packet of the certain time length of the internet of things equipment, identify the host name of the internet of things equipment, MAC, access
The equipment feature such as domain name, payload, and according to the matching relationship of matching relationship concentrating equipment model and equipment feature, by the object
The equipment features such as host name, MAC, the domain name of access, the payload of networked devices are respectively and according to matching relationship concentrating equipment type
It number is matched with the matching relationship of equipment feature, if there is the success of any appliance characteristic matching, then exports corresponding equipment
Model deletes the data packet of acquisition, if match it is unsuccessful, by the data packet of acquisition, the host name of internet of things equipment, MAC,
The domain name of access, payload are sent to security server, are analyzed by administrative staff, generate the device model of the internet of things equipment
With the matching relationship of equipment feature, it is issued to security gateway, security gateway is by the matching of the device model of generation and equipment feature
Relationship, which is updated to matching relationship, to be concentrated, and realizes the identification to the device model of the internet of things equipment.
By taking internet of things equipment is " millet socket " as an example, the entitled " chuangmi-plug-ml_ of the host of internet of things equipment
Mi ", if if matching relationship centralized recording has in the host name of internet of things equipment comprising " chuangmi-plug ", it is determined that
Internet of things equipment is the matching relationship of " millet socket ", it is determined that internet of things equipment is millet socket.If according to existing matching
Set of relations not can determine that the device model of internet of things equipment, by the data packet of the internet of things equipment of acquisition for a period of time, such as 10 points
Clock, host name, MAC, the domain name of access, payload are sent to security server and are analyzed, and issue the device model and equipment
The matching relationship of feature is handed down to security gateway, is updated to the matching relationship collection of security gateway.
Embodiment 8:
In order to further increase the effect of security protection, on the basis of the various embodiments described above, in embodiments of the present invention,
The method also includes:
The link information for identifying the internet of things equipment sends the link information, the chain to the security server
Meet at least one of the IP, domain name, uniform resource position mark URL that information includes the internet of things equipment access.
Security server can also be indexed by third-party threat information and be held up, to internet of things equipment with the presence or absence of it is abnormal into
Row judgement, specifically, as shown in figure 3, the link information of internet of things equipment is sent to security server, the chain by security gateway
IP, domain name, the URL etc. that information includes access are met, security server passes through preset according to the link information that security gateway is sent
The api interface for threatening information engine, inquires whether the link information is malicious link information, receives and threatens information engine queries
The link information whether be malicious link information query result, wherein there are prestige if the link information is marked as
Problem is linked to order and control server (command and control server, CNC) or is directly marked as disliking
When meaning link information, determine that link information is malicious link information, if the link information of internet of things equipment is malicious link
Information, security server think the internet of things equipment there are risk, and security server issues warning information, and sends out to security gateway
The blocking instruction for blocking internet of things equipment flow transmission is sent, the flow for making security gateway block the internet of things equipment transmits.
Fig. 7 is a kind of function structure schematic diagram of security gateway provided in an embodiment of the present invention, as shown in fig. 7, safety net
Close includes flow collection unit, equipment recognition unit, wireless access points (WirelessAccessPoint, AP) service list
Member, instruction receiving unit, data transmission unit, access control unit, intrusion detecting unit etc..Equipment recognition unit, mainly
By identifying its device model according to the equipment feature of the internet of things equipment of access, specific equipment feature includes host name
Title, device network row MAC Address etc.;Flow collection unit: its major function is the Internet of Things for acquiring access security gateway
The real-time traffic of equipment, source IP, destination IP, source port, destination port, application protocol, Connection Time, DNS request, access
URL, the information such as the case where data packet are sent;Intrusion detecting unit is mainly measured in real time internet of things equipment, detects whether
There is internet of things equipment by abnormal behaviours such as invasion, Brute Force, abnormal login or scannings;Access control unit, for blocking
The flow of internet of things equipment transmits, and the flow transmission of internet of things equipment is such as blocked by firewall (iptables);Data are sent
Unit, when for by the real-time traffic of internet of things equipment, source IP, destination IP, source port, destination port, application protocol, connection
Between, domain name system (Domain Name System, DNS) request, access URL, send the information such as the case where data packet, and enter
It invades the warning information that detection unit detects and is sent to security server, provide data for security server and support;Command reception
Unit, the instruction issued for receiving security server access control to internet of things equipment;AP service unit, for for
Internet of things equipment provides the connection of Wi-Fi or Ethernet, provides network connection for internet of things equipment.
As shown in figure 8, in embodiments of the present invention, security gateway detect internet of things equipment have invaded, violence is broken
The abnormal behaviours such as solution, abnormal login or scanning, can directly block the flow of internet of things equipment to transmit, can also be by Internet of Things
The abnormal behaviour of equipment reports security server, and the stream for blocking internet of things equipment is determined whether according to the instruction of security server
Amount transmission.
Embodiment 9:
Fig. 9 is a kind of safety device provided in an embodiment of the present invention, is applied to security server, described device packet
It includes:
It receives and determines mould 91, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current
The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding
The object feature value of preset flow feature;
Judgment module 92, for judging the object feature value preset flow feature corresponding with the current detection period
Whether the difference of predicted characteristics value is less than deviation threshold, wherein the predicted characteristics value is according to before the current detection period
Setting quantity history detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm it is true
Fixed;If it is judged that being no, triggering indicating module;
Indicating module 93 refers to for sending the blocking for blocking the internet of things equipment flow to transmit to the security gateway
It enables, the flow for making the security gateway block the internet of things equipment transmits.
Preferably, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Described device further include:
Receive judgment module 94, for receive the internet of things equipment access that the security gateway is sent IP and/or
Domain name;Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list,
Described in IP and/or domain name white list be that the history IP accessed according to the internet of things equipment and/or history domain name determine;
If it is judged that being yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
The reception judgment module 94, if it is corresponding with the current detection period described default to be also used to the object feature value
The difference of the predicted characteristics value of traffic characteristic is less than deviation threshold, receives the internet of things equipment that the security gateway is sent
Device model;Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved
In corresponding traffic characteristic set and IP and/or set of domains;If it is judged that being no, triggering indicating module.
Described device further include:
Enquiry module 95 is received, for receiving the link information for the internet of things equipment that the security gateway is sent,
Described in link information include at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL;
According to the link information and preset threat information engine, by link information described in the threat information engine queries whether
For malicious link information;If query result is yes, triggering reception determining module, if query result is no, triggering instruction mould
Block.
Embodiment 10:
Figure 10 is a kind of safety device provided in an embodiment of the present invention, is applied to security gateway, and described device includes:
Sending module 101 makes institute for sending the real-time traffic for the internet of things equipment connecting with itself to security server
Security server is stated according to the flow information at internet of things equipment each moment described in the current detection period, determines the Internet of Things
The equipment current detection period corresponds to the object feature value of preset flow feature;
Receiving processing module 102 is passed for receiving the blocking internet of things equipment flow that the security server is sent
Defeated blocking instruction, blocks the flow of the internet of things equipment to transmit;Wherein, the blocking instruction is that the security server is true
The difference of the predicted characteristics value of the fixed object feature value preset flow feature corresponding with the current detection period is not less than inclined
It is sent after poor threshold value, the predicted characteristics value is according to the history detection cycle for setting quantity before the current detection period
What each history feature value of the corresponding preset flow feature and preset prediction algorithm determined.
Described device further include:
Sending module 103 is identified, for identification the IP and/or domain name of the internet of things equipment access, to the safety clothes
Business device sends the IP and/or domain name.
The identification sending module 103, is also used to identify the device model of the internet of things equipment, to the security service
Device sends the device model.
The identification sending module 103, specifically for obtaining the equipment feature of the internet of things equipment, according to the equipment
The matching relationship collection of feature and the matching relationship comprising device model and equipment feature pre-saved, determines that the Internet of Things is set
Standby device model.
The identification sending module 103, is also used to identify the link information of the internet of things equipment, to the security service
Device sends the link information, and the link information includes the IP of the internet of things equipment access, domain name, uniform resource locator
At least one of URL.
Embodiment 11:
Figure 11 is a kind of security protection system provided in an embodiment of the present invention, the system comprises: include peace as shown in Figure 9
The security server 111 of full protection device and at least one security gateway comprising safety device as shown in Figure 10
112 and at least one internet of things equipment 113 for being connect with the security gateway.
For systems/devices embodiment, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the application range.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (21)
1. a kind of safety protecting method, which is characterized in that be applied to security server, which comprises
The real-time traffic information for receiving the internet of things equipment that security gateway is sent, sets according to the Internet of Things in the current detection period
The flow information at standby each moment, determines that the internet of things equipment current detection period corresponds to the target signature of preset flow feature
Value;
Judging the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period is
It is no to be less than deviation threshold, wherein the predicted characteristics value is according to the history detection for setting quantity before the current detection period
Period correspond to the preset flow feature each history feature value and preset prediction algorithm determine;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety
Gateway blocks the flow of the internet of things equipment to transmit.
2. the method as described in claim 1, which is characterized in that the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
3. the method as described in claim 1, which is characterized in that described every according to the internet of things equipment in the current detection period
The flow information at a moment, determine the internet of things equipment current detection period correspond to preset flow feature object feature value it
Before, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein
The IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety
Gateway blocks the flow of the internet of things equipment to transmit.
4. method as claimed in claim 3, which is characterized in that if object feature value institute corresponding with the current detection period
The difference for stating the predicted characteristics value of preset flow feature is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if corresponding in the device model pre-saved
Traffic characteristic set and IP and/or set of domains in;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety
Gateway blocks the flow of the internet of things equipment to transmit.
5. the method as described in claim 1, which is characterized in that described every according to the internet of things equipment in the current detection period
The flow information at a moment, determine the internet of things equipment current detection period correspond to preset flow feature object feature value it
Before, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes the object
The IP of networked devices access, domain name, at least one of uniform resource position mark URL;
According to the link information and preset threat information engine, pass through link information described in the threat information engine queries
It whether is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety
Gateway blocks the flow of the internet of things equipment to transmit.
6. a kind of safety protecting method, which is characterized in that be applied to security gateway, which comprises
The real-time traffic that the internet of things equipment connecting with itself is sent to security server makes the security server according to current
The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding
The object feature value of preset flow feature;
The blocking instruction for receiving the blocking internet of things equipment flow transmission that the security server is sent, blocks the Internet of Things
The flow of net equipment transmits;Wherein, the blocking instruction is that the security server determines the object feature value and current inspection
The survey period corresponds to the difference of the predicted characteristics value of the preset flow feature not less than what is sent after deviation threshold, and the prediction is special
Value indicative is to correspond to the every of the preset flow feature according to the history detection cycle for setting quantity before the current detection period
What a history feature value and preset prediction algorithm determined.
7. method as claimed in claim 6, which is characterized in that the method also includes:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain name to the security server.
8. the method for claim 7, which is characterized in that the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
9. method according to claim 8, which is characterized in that the device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model with set
The matching relationship collection of the matching relationship of standby feature, determines the device model of the internet of things equipment.
10. method as claimed in claim 6, which is characterized in that the method also includes:
The link information for identifying the internet of things equipment sends the link information, the link letter to the security server
Breath includes the IP of internet of things equipment access, domain name, at least one of uniform resource position mark URL.
11. a kind of safety device, which is characterized in that be applied to security server, described device includes:
Determining module is received, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current detection
The flow information at internet of things equipment each moment in period determines that the internet of things equipment current detection period is corresponding default
The object feature value of traffic characteristic;
Judgment module, the prediction for judging the object feature value preset flow feature corresponding with the current detection period are special
Whether the difference of value indicative is less than deviation threshold, wherein the predicted characteristics value is to set number before according to the current detection period
The history detection cycle of amount correspond to the preset flow feature each history feature value and preset prediction algorithm determine;Such as
Fruit judging result is no, triggering indicating module;
Indicating module makes institute for sending the blocking for blocking the internet of things equipment flow to transmit instruction to the security gateway
Stating security gateway blocks the flow of the internet of things equipment to transmit.
12. device as claimed in claim 11, which is characterized in that the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
13. device as claimed in claim 11, which is characterized in that described device further include:
Judgment module is received, for receiving the IP and/or domain name of the internet of things equipment access that the security gateway is sent;Sentence
Break and whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein the IP
And/or domain name white list is that the history IP accessed according to the internet of things equipment and/or history domain name determine;If it is determined that
It as a result is yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
14. device as claimed in claim 13, which is characterized in that the reception judgment module, if being also used to the target
The difference of the predicted characteristics value of the characteristic value preset flow feature corresponding with the current detection period is less than deviation threshold, receives institute
State the device model of the internet of things equipment of security gateway transmission;Judge the target flow characteristic value and the IP and/or
Domain name, if in the corresponding traffic characteristic set of the device model and IP and/or set of domains pre-saved;If sentenced
Disconnected result is no, triggering indicating module.
15. device as claimed in claim 11, which is characterized in that described device further include:
Enquiry module is received, for receiving the link information for the internet of things equipment that the security gateway is sent, wherein described
Link information includes at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL;According to institute
Link information and preset threat information engine are stated, whether is malice by link information described in the threat information engine queries
Link information;If query result is yes, triggering reception determining module, if query result is no, triggering indicating module.
16. a kind of safety device, which is characterized in that be applied to security gateway, described device includes:
Sending module makes the safety for sending the real-time traffic for the internet of things equipment connecting with itself to security server
Server determines that the internet of things equipment is worked as according to the flow information at internet of things equipment each moment described in the current detection period
Preceding detection cycle corresponds to the object feature value of preset flow feature;
Receiving processing module, for receiving the blocking for the blocking internet of things equipment flow transmission that the security server is sent
Instruction, blocks the flow of the internet of things equipment to transmit;Wherein, the blocking instruction is that the security server determines the mesh
The difference of the predicted characteristics value of the characteristic value preset flow feature corresponding with the current detection period is marked not less than after deviation threshold
It sends, the predicted characteristics value is according to the history detection cycle correspondence for setting quantity before the current detection period
What each history feature value of preset flow feature and preset prediction algorithm determined.
17. device as claimed in claim 16, which is characterized in that described device further include:
Identify sending module, the IP and/or domain name of the internet of things equipment access, send to the security server for identification
The IP and/or domain name.
18. device as claimed in claim 17, which is characterized in that the identification sending module is also used to identify the Internet of Things
The device model of net equipment sends the device model to the security server.
19. device as claimed in claim 18, which is characterized in that the identification sending module is specifically used for obtaining the object
The equipment feature of networked devices is closed according to the equipment feature and the matching comprising device model and equipment feature pre-saved
The matching relationship collection of system, determines the device model of the internet of things equipment.
20. device as claimed in claim 16, which is characterized in that the identification sending module is also used to identify the Internet of Things
The link information of net equipment sends the link information to the security server, and the link information includes the Internet of Things
The IP of equipment access, domain name, at least one of uniform resource position mark URL.
21. a kind of security protection system, which is characterized in that the system comprises: comprising as described in claim any one of 11-15
The security server of safety device and at least one include such as claim 16-20 described in any item security protections dress
The security gateway and at least one internet of things equipment being connect with the security gateway set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811459368.9A CN109347880A (en) | 2018-11-30 | 2018-11-30 | A kind of safety protecting method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811459368.9A CN109347880A (en) | 2018-11-30 | 2018-11-30 | A kind of safety protecting method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109347880A true CN109347880A (en) | 2019-02-15 |
Family
ID=65319223
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811459368.9A Pending CN109347880A (en) | 2018-11-30 | 2018-11-30 | A kind of safety protecting method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109347880A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110839032A (en) * | 2019-11-18 | 2020-02-25 | 河南牧业经济学院 | Internet of things abnormal data identification method and system |
CN111131351A (en) * | 2018-10-31 | 2020-05-08 | 中国移动通信集团广东有限公司 | Method and device for confirming model of Internet of things equipment |
CN112350974A (en) * | 2019-08-07 | 2021-02-09 | 中国移动通信集团广东有限公司 | Safety monitoring method and device of Internet of things and electronic equipment |
CN113037595A (en) * | 2021-03-29 | 2021-06-25 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
WO2021190398A1 (en) * | 2020-03-24 | 2021-09-30 | 华为技术有限公司 | Device model identification method, apparatus and system |
CN113472773A (en) * | 2021-06-30 | 2021-10-01 | 中标慧安信息技术股份有限公司 | Illegal data transmission cutting method and system based on intelligent gateway |
CN114143734A (en) * | 2021-10-22 | 2022-03-04 | 广东省电信规划设计院有限公司 | Data processing method and device for 5G Internet of things network card flow acquisition |
CN115913614A (en) * | 2022-09-19 | 2023-04-04 | 上海辰锐信息科技有限公司 | Network access device and method |
CN118118278A (en) * | 2024-04-29 | 2024-05-31 | 江苏天泽智联信息技术有限公司 | Internet of things gateway safety protection detection method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
CN105721494A (en) * | 2016-03-25 | 2016-06-29 | 中国互联网络信息中心 | Method and device for detecting and disposing abnormal traffic attack |
CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
US20180234453A1 (en) * | 2017-02-15 | 2018-08-16 | Cisco Technology, Inc. | Prefetch intrusion detection system |
-
2018
- 2018-11-30 CN CN201811459368.9A patent/CN109347880A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
CN105721494A (en) * | 2016-03-25 | 2016-06-29 | 中国互联网络信息中心 | Method and device for detecting and disposing abnormal traffic attack |
US20180234453A1 (en) * | 2017-02-15 | 2018-08-16 | Cisco Technology, Inc. | Prefetch intrusion detection system |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111131351A (en) * | 2018-10-31 | 2020-05-08 | 中国移动通信集团广东有限公司 | Method and device for confirming model of Internet of things equipment |
CN111131351B (en) * | 2018-10-31 | 2022-09-27 | 中国移动通信集团广东有限公司 | Method and device for confirming model of Internet of things equipment |
CN112350974A (en) * | 2019-08-07 | 2021-02-09 | 中国移动通信集团广东有限公司 | Safety monitoring method and device of Internet of things and electronic equipment |
CN110839032A (en) * | 2019-11-18 | 2020-02-25 | 河南牧业经济学院 | Internet of things abnormal data identification method and system |
WO2021190398A1 (en) * | 2020-03-24 | 2021-09-30 | 华为技术有限公司 | Device model identification method, apparatus and system |
CN113037595A (en) * | 2021-03-29 | 2021-06-25 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
CN113037595B (en) * | 2021-03-29 | 2022-11-01 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
CN113472773A (en) * | 2021-06-30 | 2021-10-01 | 中标慧安信息技术股份有限公司 | Illegal data transmission cutting method and system based on intelligent gateway |
CN113472773B (en) * | 2021-06-30 | 2022-08-19 | 中标慧安信息技术股份有限公司 | Illegal data transmission cutting method and system based on intelligent gateway |
CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
CN114143734A (en) * | 2021-10-22 | 2022-03-04 | 广东省电信规划设计院有限公司 | Data processing method and device for 5G Internet of things network card flow acquisition |
CN115913614A (en) * | 2022-09-19 | 2023-04-04 | 上海辰锐信息科技有限公司 | Network access device and method |
CN118118278A (en) * | 2024-04-29 | 2024-05-31 | 江苏天泽智联信息技术有限公司 | Internet of things gateway safety protection detection method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109347880A (en) | A kind of safety protecting method, apparatus and system | |
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
US20220225101A1 (en) | Ai cybersecurity system monitoring wireless data transmissions | |
EP2725512B1 (en) | System and method for malware detection using multi-dimensional feature clustering | |
US7672283B1 (en) | Detecting unauthorized wireless devices in a network | |
CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
Noguchi et al. | Device identification based on communication analysis for the internet of things | |
CN111245793A (en) | Method and device for analyzing abnormity of network data | |
EP1741223B1 (en) | Method, apparatus and computer program for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis | |
CN107579986B (en) | Network security detection method in complex network | |
CN107135183A (en) | A kind of data on flows monitoring method and device | |
CN107276983A (en) | A kind of the traffic security control method and system synchronous with cloud based on DPI | |
CN110719286A (en) | Network optimization scheme sharing system and method based on big data | |
EP4044505B1 (en) | Detecting botnets | |
CN114189361B (en) | Situation awareness method, device and system for defending threat | |
Rosenthal et al. | ARBA: Anomaly and reputation based approach for detecting infected IoT devices | |
EP4033717A1 (en) | Distinguishing network connection requests | |
CN114338171A (en) | Black product attack detection method and device | |
CN111131203B (en) | External connection monitoring method and device | |
CN112929369A (en) | Distributed real-time DDoS attack detection method | |
Zhao et al. | Research of intrusion detection system based on neural networks | |
CN109729084B (en) | Network security event detection method based on block chain technology | |
Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
CN114844722B (en) | Network security detection method based on domain name | |
US11184369B2 (en) | Malicious relay and jump-system detection using behavioral indicators of actors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190215 |
|
RJ01 | Rejection of invention patent application after publication |