CN109347880A - A kind of safety protecting method, apparatus and system - Google Patents

A kind of safety protecting method, apparatus and system Download PDF

Info

Publication number
CN109347880A
CN109347880A CN201811459368.9A CN201811459368A CN109347880A CN 109347880 A CN109347880 A CN 109347880A CN 201811459368 A CN201811459368 A CN 201811459368A CN 109347880 A CN109347880 A CN 109347880A
Authority
CN
China
Prior art keywords
internet
things equipment
flow
feature
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811459368.9A
Other languages
Chinese (zh)
Inventor
桑鸿庆
刘文懋
张星
张克雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201811459368.9A priority Critical patent/CN109347880A/en
Publication of CN109347880A publication Critical patent/CN109347880A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of safety protecting methods, apparatus and system, the described method includes: security server receives the real-time traffic information for the internet of things equipment that security gateway is sent, according to the flow information at internet of things equipment each moment described in the current detection period, determine that the internet of things equipment current detection period corresponds to the object feature value of preset flow feature;Judge whether the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period is less than deviation threshold, wherein the predicted characteristics value is to correspond to each history feature value and the determination of preset prediction algorithm of the preset flow feature according to the history detection cycle for setting quantity before the current detection period;If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, the flow for making the security gateway block the internet of things equipment is transmitted.A kind of security protection scheme is provided, to protect the safety of internet of things equipment.

Description

A kind of safety protecting method, apparatus and system
Technical field
The present invention relates to technical field of network security more particularly to a kind of safety protecting methods, apparatus and system.
Background technique
Internet of Things (Internet of Things, IOT) be after computer, internet development, Informatization Development Third wave.Internet of Things refers to the agreement according to agreement, and article and disparate networks are connected, and carries out information exchange and leads to Letter, to realize a kind of network of Weigh sensor, positioning, tracking, monitoring and management.Internet of Things will realize object and object, people and object Extensive " networking ", the internet of things era network and the daily life of people will more closely.With the development object of technology of Internet of things Application of the networked devices in fields such as industrial manufacture, smart homes increases, live for people's production and life bring it is huge just Benefit.
On the Internet of Things gradually shifted however as big numerous generals' sight, the safety of internet of things equipment itself is also come from Malicious attacker is coveted, since internet of things equipment type is more, exposure extensively, so that internet of things equipment is extremely fragile, it is easy to It is found loophole and utilized by attacker, internet of things equipment is caused illegally to be manipulated, the experience decline of user, or even there are some objects The significant data of networked devices is modified, and causes internet of things equipment failure and serious safety accident, therefore be badly in need of a kind of safety Safety of the protectiving scheme to protect internet of things equipment.
Summary of the invention
The present invention provides a kind of safety protecting method, apparatus and system, to protect the safety of internet of things equipment.
In a first aspect, being applied to security server the invention discloses a kind of safety protecting method, which comprises
The real-time traffic information for receiving the internet of things equipment that security gateway is sent, according to the Internet of Things in the current detection period The flow information at net equipment each moment determines that the internet of things equipment current detection period corresponds to the target of preset flow feature Characteristic value;
Judge the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period Whether value is less than deviation threshold, wherein the predicted characteristics value is according to the history for setting quantity before the current detection period Detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm determine;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Optionally, the flow information according to internet of things equipment each moment described in the current detection period, determines institute Before stating the object feature value that the internet of things equipment current detection period corresponds to preset flow feature, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, Wherein the IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine 's;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, if the predicted characteristics of the object feature value preset flow feature corresponding with the current detection period The difference of value is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved In corresponding traffic characteristic set and IP and/or set of domains;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
Optionally, the flow information according to internet of things equipment each moment described in the current detection period, determines institute Before stating the object feature value that the internet of things equipment current detection period corresponds to preset flow feature, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes institute State IP, the domain name, at least one of uniform resource position mark URL of internet of things equipment access;
According to the link information and preset threat information engine, by being linked described in the threat information engine queries Whether information is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
Second aspect, the invention discloses a kind of safety protecting methods, are applied to security gateway, which comprises
The real-time traffic of internet of things equipment connecting with itself is sent to security server, make the security server according to The flow information at internet of things equipment each moment, determines the internet of things equipment current detection period in the current detection period The object feature value of corresponding preset flow feature;
The blocking for receiving the blocking internet of things equipment flow transmission that the security server is sent instructs, described in blocking The flow of internet of things equipment transmits;Wherein, the blocking instruction is that the security server determines the object feature value and works as Preceding detection cycle corresponds to the difference of the predicted characteristics value of the preset flow feature not less than sending after deviation threshold, described pre- Surveying characteristic value is to correspond to the preset flow feature according to the history detection cycle for setting quantity before the current detection period Each history feature value and preset prediction algorithm determine.
Optionally, the method also includes:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain to the security server Name.
Optionally, the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
Optionally, the device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model With the matching relationship collection of the matching relationship of equipment feature, the device model of the internet of things equipment is determined.Optionally, the method Further include:
The link information for identifying the internet of things equipment sends the link information, the chain to the security server Meet at least one of the IP, domain name, uniform resource position mark URL that information includes the internet of things equipment access.
The third aspect, the invention discloses a kind of safety devices, are applied to security server, which comprises
Determining module is received, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding The object feature value of preset flow feature;
Judgment module, for judging the pre- of the object feature value preset flow feature corresponding with the current detection period Whether the difference for surveying characteristic value is less than deviation threshold, wherein the predicted characteristics value was set before according to the current detection period The history detection cycle of fixed number amount corresponds to each history feature value of the preset flow feature and preset prediction algorithm determines 's;If it is judged that being no, triggering indicating module;
Indicating module, for sending the blocking for blocking the internet of things equipment flow to transmit instruction to the security gateway, The flow for making the security gateway block the internet of things equipment transmits.
Optionally, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Optionally, described device further include:
Judgment module is received, for receiving IP and/or the domain of the internet of things equipment access that the security gateway is sent Name;Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein The IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine;Such as Fruit judging result is yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
Optionally, the reception judgment module, if being also used to object feature value institute corresponding with the current detection period The difference for stating the predicted characteristics value of preset flow feature is less than deviation threshold, receives the Internet of Things that the security gateway is sent The device model of equipment;Judge the target flow characteristic value and the IP and/or domain name, if set described in pre-save In the standby corresponding traffic characteristic set of model and IP and/or set of domains;If it is judged that being no, triggering indicating module.
Optionally, described device further include:
Enquiry module is received, for receiving the link information for the internet of things equipment that the security gateway is sent, wherein The link information includes at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL;Root According to the link information and preset threat information engine, by link information described in the threat information engine queries whether be Malicious link information;If query result is yes, triggering reception determining module, if query result is no, triggering indicating module.
Fourth aspect, the invention discloses a kind of safety devices, are applied to security gateway, and described device includes:
Sending module makes described for sending the real-time traffic for the internet of things equipment connecting with itself to security server Security server determines that the Internet of Things is set according to the flow information at internet of things equipment each moment described in the current detection period The standby current detection period corresponds to the object feature value of preset flow feature;
Receiving processing module, what the blocking internet of things equipment flow for receiving the security server transmission transmitted Instruction is blocked, the flow of the internet of things equipment is blocked to transmit;Wherein, the blocking instruction determines institute for the security server Object feature value is stated with the difference of the predicted characteristics value of the current detection period corresponding preset flow feature not less than deviation threshold It is sent after value, the predicted characteristics value is corresponding according to the history detection cycle for setting quantity before the current detection period What each history feature value of the preset flow feature and preset prediction algorithm determined.
Optionally, described device further include:
Sending module is identified, for identification the IP and/or domain name of the internet of things equipment access, to the security server Send the IP and/or domain name.
Optionally, the identification sending module, is also used to identify the device model of the internet of things equipment, to the safety Server sends the device model.
Optionally, the identification sending module, specifically for obtaining the equipment feature of the internet of things equipment, according to described The matching relationship collection of equipment feature and the matching relationship comprising device model and equipment feature pre-saved, determines the Internet of Things The device model of net equipment.
Optionally, the identification sending module, is also used to identify the link information of the internet of things equipment, to the safety Server sends the link information, and the link information includes that the IP of the internet of things equipment access, domain name, unified resource are fixed At least one of position symbol URL.
5th aspect, name of the present invention disclose a kind of security protection system, the system comprises: it include above-mentioned security protection The security server of device and at least one include security gateway and at least one and the peace of above-mentioned safety device The internet of things equipment of full gateway connection.
Since in embodiments of the present invention, security server sets number before the current detection period according to internet of things equipment The history detection cycle of amount correspond to preset flow feature each history feature value and preset prediction algorithm, determine Internet of Things Equipment corresponds to the predicted characteristics value of preset flow feature, so that it is determined that internet of things equipment normally performed activity baseline, in security service Device detects that the difference for the object feature value and predicted characteristics value that the internet of things equipment current detection period corresponds to preset flow feature surpasses Deviation threshold is crossed, when deviateing normally performed activity baseline, the blocking for blocking internet of things equipment flow to transmit is sent to security gateway and refers to It enables, so that security gateway is blocked the flow transmission of internet of things equipment, provide a kind of security protection scheme for protecting internet of things equipment.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 2 is a kind of IP and/or domain name white list determination process schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 4 is a kind of function structure schematic diagram of security server provided in an embodiment of the present invention;
Fig. 5 is a kind of security protection process schematic provided in an embodiment of the present invention;
Fig. 6 is a kind of device model identification process schematic diagram provided in an embodiment of the present invention;
Fig. 7 is a kind of function structure schematic diagram of security gateway provided in an embodiment of the present invention;
Fig. 8 is a kind of security gateway work flow diagram provided in an embodiment of the present invention;
Fig. 9 is a kind of safety device provided in an embodiment of the present invention;
Figure 10 is a kind of safety device provided in an embodiment of the present invention;
Figure 11 is a kind of security protection system provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, make below in conjunction with the attached drawing present invention into one Step ground detailed description, it is clear that described embodiment is only a part of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts Every other embodiment, shall fall within the protection scope of the present invention.
It is to be appreciated that in the description of the present application, "and/or" describes the incidence relation of affiliated partner, and expression can be with There are three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three feelings of individualism B Condition.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".It is a variety of involved in the application, refer to two kinds Or it is two or more.
Embodiment 1:
Fig. 1 is a kind of security protection process schematic provided in an embodiment of the present invention, which includes:
S101: the real-time traffic information for the internet of things equipment that security gateway is sent is received, according to institute in the current detection period The flow information for stating internet of things equipment each moment determines that the internet of things equipment current detection period corresponds to preset flow feature Object feature value.
Safety protecting method provided in an embodiment of the present invention, is applied to security server, and the security server can also be with It is the security server cluster that more security servers are constituted or the security platform etc. that more security servers are constituted, at this In inventive embodiments with security server exist communication connection security gateway can have one, can also have it is multiple, with safety Gateway connection internet of things equipment can have one, can also have it is multiple, in embodiments of the present invention, to be deposited with security server It is illustrated for a certain security gateway of communication connection, a certain internet of things equipment being connect with the security gateway.
Unlike the terminal traffics such as traditional computer or mobile phone, the business scenario of internet of things equipment is relatively fixed, object There are periodic features for the heartbeat data of networked devices transmission or business datum etc., and the heartbeat data or business number sent According to content have the characteristics that relatively fixed, the present embodiment is intended to send heartbeat data or business datum by internet of things equipment These characteristics carry out security protection to internet of things equipment.
Specifically, security gateway can send the reality for the internet of things equipment connecting with security gateway to security server in real time When flow information, preferably, security gateway can also be according to detection cycle identical with security server, in the statistic mixed-state period The real-time traffic information of internet of things equipment is believed according to detection cycle to the real-time traffic that security server sends internet of things equipment Breath, wherein the detection cycle can be 1min, 3min, 5min etc..Security server receives the Internet of Things that security gateway is sent The real-time traffic information of equipment determines Internet of Things according to the flow information at each moment of internet of things equipment in the current detection period The net equipment current detection period corresponds to the object feature value of preset flow feature, wherein the preset flow feature includes sending number According at least one of the period of packet, the peak flow for sending data packet, in embodiments of the present invention according to the stream at each moment Measure information, determine that the period for sending data packet and the traffic characteristics such as peak flow for sending data packet are the prior arts, no longer into Row repeats.
S102: judge the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period Difference whether be less than deviation threshold, if it is, terminate, if not, carry out S103.
S103: the blocking instruction for blocking the internet of things equipment flow to transmit is sent to the security gateway, makes the peace Full gateway blocks the flow of the internet of things equipment to transmit.
In embodiments of the present invention, the predicted characteristics value is to set going through for quantity before according to the current detection period History detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm determine.
Prediction algorithm, such as time series algorithm are preset in security server, specifically, security server, for The current detection period, according to the every of the corresponding preset flow feature of history detection cycle for setting quantity before the current detection period A history feature value determines the predicted characteristics of current detection period corresponding preset flow feature using preset prediction algorithm Value.Illustratively, the current detection period is the 9th detection cycle, set quantity as 5, preset prediction algorithm is that time series is calculated Method, then security server is according to the 4th detection cycle, the 5th detection cycle, the 6th detection cycle, the 7th detection cycle and the 8th detection week Phase respectively corresponds the history feature value of preset flow feature, using time series algorithm, determines the corresponding default stream of the 9th detection cycle The predicted characteristics value of measure feature.
In addition, it is necessary to explanation, preset flow feature can be one in embodiments of the present invention, or more It is a, if preset flow feature be it is multiple, can be directed to each preset flow feature, deviation threshold be respectively set, if safety It is default not less than this that server determines that there are the differences of the corresponding object feature value of any preset flow feature and predicted characteristics value When the corresponding deviation threshold of traffic characteristic, it is determined that internet of things equipment exists abnormal, sends to security gateway and Internet of Things is blocked to set The blocking instruction of standby flow transmission, security gateway block the flow transmission of internet of things equipment.
In addition, security server is judging that the internet of things equipment current detection period corresponds to the target signature of preset flow feature When being worth the difference of the predicted characteristics value of preset flow feature corresponding with the current detection period not less than deviation threshold, it can be sent out Warning information prompts administrative staff, and exception occurs in internet of things equipment, preferably, may be used also when security server issues warning information To show the identification information for abnormal internet of things equipment occur, such as title, facilitate knowing for administrative staff.
Since in embodiments of the present invention, security server is according to internet of things equipment each moment in the current detection period Flow information determines that the internet of things equipment current detection period corresponds to the object feature value of preset flow feature, and in target signature It is worth each history feature of preset flow feature corresponding with according to the history detection cycle of quantity is set before the current detection period When the difference for the predicted characteristics value that value and preset prediction algorithm determine is not less than deviation threshold, blocker is sent to security gateway The blocking instruction of networked devices flow transmission makes security gateway block the flow transmission of internet of things equipment, so that setting in Internet of Things When standby Traffic Anomaly, the flow of internet of things equipment is blocked to transmit, provides a kind of security protection scheme for protecting internet of things equipment.
Embodiment 2:
It is different from the terminals such as traditional computer or mobile phone, the destination address of internet of things equipment access is relatively fixed, can be with It enumerates, it is on the basis of the above embodiments, in embodiments of the present invention, described in order to further increase the effect of security protection According to the flow information at internet of things equipment each moment described in the current detection period, the internet of things equipment current detection is determined Before period corresponds to the object feature value of preset flow feature, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, Wherein the IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine 's;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
Specifically, security gateway can be used the information in the data packet that flow collection tool sends internet of things equipment into Row acquisition, such as obtains source IP, the destination IP, source port, destination port, application protocol, company of the data packet that internet of things equipment is sent The information such as the case where connecing time, domain name system (Domain Name System, DNS) request, the URL of access, transmission data packet, Specifically, destination IP and DNS request of the security gateway according to internet of things equipment, determine the IP and domain name of internet of things equipment access, And the IP of internet of things equipment access and/or domain name are sent to security server.
The corresponding IP of each internet of things equipment and/or domain name white list are pre-saved in security server, such as Fig. 2 institute Show, before carrying out security protection, IP that security gateway accesses when working normally each internet of things equipment for a period of time and/or Domain name is sent to security server, and security server was accessed by the way of machine learning for each internet of things equipment History IP and/or history domain name are counted, and the corresponding IP and/or domain name white list of each internet of things equipment are calculated.
When carrying out security protection, security server receive security gateway transmission internet of things equipment access IP and/ Or domain name, identify internet of things equipment access whether is recorded in the corresponding IP of the internet of things equipment and/or domain name white list IP and/or domain name, if it is, illustrating that internet of things equipment access is normal, if it is not, then illustrating that internet of things equipment access is different Often, security server issues warning information, and the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway, The flow for making security gateway block the internet of things equipment transmits.
Embodiment 3:
There is abnormal access or is attacked in single internet of things equipment in order to prevent, is mistaken as normally, in above-mentioned each implementation On the basis of example, in embodiments of the present invention, if the object feature value preset flow corresponding with the current detection period The difference of the predicted characteristics value of feature is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved In corresponding traffic characteristic set and IP and/or set of domains;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
In this law embodiment, the internet of things equipment that every kind of device model is also pre-saved in security server is corresponding Traffic characteristic set and IP and/or set of domains.Security server uses machine learning algorithm, is directed to each equipment type in advance Number, in normal work, multiple detections of corresponding preset flow feature are all for multiple internet of things equipment corresponding to the device model The traffic characteristic value of phase is counted, and determines the corresponding traffic characteristic set of the device model;And it is corresponding to the device model In normal work, the multiple IP and/or domain name of access are counted multiple internet of things equipment, determine that the device model is corresponding IP and/or set of domains.
Specifically, judging the Internet of Things after the device model for the internet of things equipment that security server reception security gateway is sent The corresponding target flow characteristic value of net equipment current period and the IP and/or domain name of access, if in the equipment pre-saved In the corresponding traffic characteristic set of model and IP and/or set of domains, if it is, illustrating that the internet of things equipment meets the equipment Otherwise the behavioural characteristic of the internet of things equipment of model then illustrates that the internet of things equipment does not meet the Internet of Things of the device model and sets Standby behavioural characteristic sends the blocking instruction for blocking the internet of things equipment flow to transmit to security gateway, blocks security gateway The flow of the internet of things equipment transmits.
Embodiment 4:
In order to further increase the effect of security protection, on the basis of the various embodiments described above, in embodiments of the present invention, The flow information according to internet of things equipment each moment described in the current detection period, determines that the internet of things equipment is current Before detection cycle corresponds to the object feature value of preset flow feature, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes institute State the IP of internet of things equipment access, domain name, in uniform resource locator (Uniform Resource Locator, URL) extremely Few one kind;
According to the link information and preset threat information engine, by being linked described in the threat information engine queries Whether information is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make described Security gateway blocks the flow of the internet of things equipment to transmit.
In embodiments of the present invention, security server can also be indexed by third-party threat information and be held up, to Internet of Things Equipment is judged with the presence or absence of abnormal, specifically, as shown in figure 3, security gateway sends the link information of internet of things equipment To security server, the link information includes IP, domain name, the URL etc. of access, and security server is sent according to security gateway Link information is inquired whether the link information is malicious link information, is connect by the preset api interface for threatening information engine Receive threaten information engine queries described in link information whether be malicious link information query result, if the link information quilt Labeled as there are problems that prestige, be linked to order and control server (command and control server, CNC) or When being directly marked as malicious link information, determine that link information is malicious link information, if the link of internet of things equipment Information is malicious link information, and security server thinks the internet of things equipment there are risk, and security server issues warning information, And the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway, so that security gateway is blocked the internet of things equipment Flow transmission.
Fig. 4 is a kind of function structure schematic diagram of security server provided in an embodiment of the present invention, as shown in figure 4, safety Server includes anomaly analysis unit, threatens information query unit, device management unit, security gateway data receipt unit, number According to storage unit, flow analysis unit etc..Security gateway data receipt unit is mainly used for receiving the Internet of Things that security gateway is sent The data of net equipment, such as flow information, link information, and the data storage value data for receiving internet of things equipment are stored into list Member;Data storage cell, data, processing log of security server of the internet of things equipment for sending to security gateway etc. count According to storage;Flow analysis unit is mainly used for analyzing the flow information that security gateway is sent, predicts internet of things equipment Traffic characteristic;Information query unit is threatened, for requesting inquiry is known to threaten information search engine, obtains internet of things equipment Link information whether be malicious link;Unusual checking unit, for internet of things equipment with the presence or absence of abnormal behaviour into Row detection, such as the traffic characteristic and the IP of access, domain name of equipment are detected, and issue and accuse in internet of things equipment exception It is alert;Device management unit provides administration portal for manager and user, to the Internet of Things directly or indirectly connecting with security server The account management (dashboard) etc. of net equipment progress visualized management security gateway.
Embodiment 5:
Fig. 5 is a kind of security protection process schematic provided in an embodiment of the present invention, which includes:
S501: the real-time traffic for the internet of things equipment connecting with itself is sent to security server, makes the security service Device determines that the internet of things equipment is currently examined according to the flow information at internet of things equipment each moment described in the current detection period The survey period corresponds to the object feature value of preset flow feature.
Specifically, security gateway can send the reality for the internet of things equipment connecting with security gateway to security server in real time When flow information, preferably, security gateway can also be according to detection cycle identical with security server, in the statistic mixed-state period The real-time traffic information of internet of things equipment is believed according to detection cycle to the real-time traffic that security server sends internet of things equipment Breath, wherein the detection cycle can be 1min, 3min, 5min etc..Security server receives the Internet of Things that security gateway is sent The real-time traffic information of equipment determines Internet of Things according to the flow information at each moment of internet of things equipment in the current detection period The net equipment current detection period corresponds to the object feature value of preset flow feature, wherein the preset flow feature includes sending number According at least one of the period of packet, the peak flow for sending data packet, in embodiments of the present invention according to the stream at each moment Measure information, determine that the period for sending data packet and the traffic characteristics such as peak flow for sending data packet are the prior arts, no longer into Row repeats.
S502: the blocking instruction for the blocking internet of things equipment flow transmission that the security server is sent, resistance are received Break the internet of things equipment flow transmission.
Wherein, the blocking instruction is that the security server determines that the object feature value is corresponding with the current detection period For the difference of the predicted characteristics value of the preset flow feature not less than what is sent after deviation threshold, the predicted characteristics value is basis The history detection cycle that quantity is set before the current detection period corresponds to each history feature of the preset flow feature What value and preset prediction algorithm determined.
Prediction algorithm, such as time series algorithm are preset in security server, specifically, security server, for The current detection period, according to the every of the corresponding preset flow feature of history detection cycle for setting quantity before the current detection period A history feature value determines the predicted characteristics of current detection period corresponding preset flow feature using preset prediction algorithm Value.Illustratively, the current detection period is the 9th detection cycle, set quantity as 5, preset prediction algorithm is that time series is calculated Method, then security server is according to the 4th detection cycle, the 5th detection cycle, the 6th detection cycle, the 7th detection cycle and the 8th detection week Phase respectively corresponds the history feature value of preset flow feature, using time series algorithm, determines the corresponding default stream of the 9th detection cycle The predicted characteristics value of measure feature.
In addition, it is necessary to explanation, preset flow feature can be one in embodiments of the present invention, or more It is a, if preset flow feature be it is multiple, can be directed to each preset flow feature, deviation threshold be respectively set, if safety It is default not less than this that server determines that there are the differences of the corresponding object feature value of any preset flow feature and predicted characteristics value When the corresponding deviation threshold of traffic characteristic, it is determined that internet of things equipment exists abnormal, sends to security gateway and Internet of Things is blocked to set The blocking instruction of standby flow transmission, after security gateway receives the blocking instruction for blocking the transmission of internet of things equipment flow, blocker The flow of networked devices transmits.
Embodiment 6:
It is different from the terminals such as traditional computer or mobile phone, the destination address of internet of things equipment access is relatively fixed, can be with It enumerates, it is on the basis of the above embodiments, in embodiments of the present invention, described in order to further increase the effect of security protection Method further include:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain to the security server Name.
Specifically, security gateway can be used the information in the data packet that flow collection tool sends internet of things equipment into Row acquisition, such as obtains source IP, the destination IP, source port, destination port, application protocol, company of the data packet that internet of things equipment is sent The information such as the case where connecing time, domain name system (Domain Name System, DNS) request, the URL of access, transmission data packet, Specifically, destination IP and DNS request of the security gateway according to internet of things equipment, determine the IP and domain name of internet of things equipment access, And the IP of internet of things equipment access and/or domain name are sent to security server.
Security server receives the IP and/or domain name of the internet of things equipment access of security gateway transmission, identifies the Internet of Things The IP and/or domain name that the internet of things equipment accesses whether are recorded in the corresponding IP of net equipment and/or domain name white list, if It is then to illustrate that internet of things equipment access is normal, if it is not, then illustrating the internet of things equipment access exception, security server is sent out Warning information out, and the blocking instruction for blocking the internet of things equipment flow to transmit is sent to security gateway, block security gateway The flow of the internet of things equipment transmits.
Embodiment 7:
There is abnormal access or is attacked in single internet of things equipment in order to prevent, is mistaken as normally, in above-mentioned each implementation On the basis of example, in embodiments of the present invention, the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
The corresponding traffic characteristic set of internet of things equipment of every kind of device model is also pre-saved in security server And IP and/or set of domains.Security server uses machine learning algorithm, each device model is directed in advance, to the equipment type Number corresponding multiple internet of things equipment in normal work, the traffic characteristic value of multiple detection cycles of corresponding preset flow feature It is counted, determines the corresponding traffic characteristic set of the device model;And to the corresponding multiple internet of things equipment of the device model In normal work, multiple IP of access and/or domain name are counted, and determine the corresponding IP of the device model and/or domain name collection It closes.
Specifically, security gateway can be read directly the device model information of internet of things equipment, and by device model information It is sent to security server and judges the object after security server receives the device model for the internet of things equipment that security gateway is sent The corresponding target flow characteristic value of networked devices current period and the IP and/or domain name of access, if pre-save this set In the standby corresponding traffic characteristic set of model and IP and/or set of domains, if it is, illustrating that the internet of things equipment meets this and sets Otherwise the behavioural characteristic of the internet of things equipment of standby model then illustrates that the internet of things equipment does not meet the Internet of Things of the device model The behavioural characteristic of equipment sends the blocking instruction for blocking the internet of things equipment flow to transmit to security gateway, hinders security gateway Break the internet of things equipment flow transmission.
In addition, the accuracy in order to guarantee the device model identification to internet of things equipment, the identification Internet of Things are set Standby device model includes:
The device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model With the matching relationship collection of the matching relationship of equipment feature, the device model of the internet of things equipment is determined.In the embodiment of the present invention The equipment feature of middle internet of things equipment includes Hostname, media intervention control layer of the internet of things equipment in networking process One of the address (Media Access Control, MAC), the domain name of access, payload (payload) etc. are a variety of.
In embodiments of the present invention, it has been pre-saved in security gateway special comprising known every kind of device model and equipment The matching relationship collection of the matching relationship of sign.After internet of things equipment accesses security gateway, security gateway identifies the internet of things equipment Equipment feature, and pass through the matching relationship of matching relationship concentrating equipment model and equipment feature, determining and internet of things equipment The equipment matched.
Preferably, as shown in fig. 6, accessing security gateway, after establishing connection with security gateway, safety net in internet of things equipment It closes, acquires the data packet of the certain time length of the internet of things equipment, identify the host name of the internet of things equipment, MAC, access The equipment feature such as domain name, payload, and according to the matching relationship of matching relationship concentrating equipment model and equipment feature, by the object The equipment features such as host name, MAC, the domain name of access, the payload of networked devices are respectively and according to matching relationship concentrating equipment type It number is matched with the matching relationship of equipment feature, if there is the success of any appliance characteristic matching, then exports corresponding equipment Model deletes the data packet of acquisition, if match it is unsuccessful, by the data packet of acquisition, the host name of internet of things equipment, MAC, The domain name of access, payload are sent to security server, are analyzed by administrative staff, generate the device model of the internet of things equipment With the matching relationship of equipment feature, it is issued to security gateway, security gateway is by the matching of the device model of generation and equipment feature Relationship, which is updated to matching relationship, to be concentrated, and realizes the identification to the device model of the internet of things equipment.
By taking internet of things equipment is " millet socket " as an example, the entitled " chuangmi-plug-ml_ of the host of internet of things equipment Mi ", if if matching relationship centralized recording has in the host name of internet of things equipment comprising " chuangmi-plug ", it is determined that Internet of things equipment is the matching relationship of " millet socket ", it is determined that internet of things equipment is millet socket.If according to existing matching Set of relations not can determine that the device model of internet of things equipment, by the data packet of the internet of things equipment of acquisition for a period of time, such as 10 points Clock, host name, MAC, the domain name of access, payload are sent to security server and are analyzed, and issue the device model and equipment The matching relationship of feature is handed down to security gateway, is updated to the matching relationship collection of security gateway.
Embodiment 8:
In order to further increase the effect of security protection, on the basis of the various embodiments described above, in embodiments of the present invention, The method also includes:
The link information for identifying the internet of things equipment sends the link information, the chain to the security server Meet at least one of the IP, domain name, uniform resource position mark URL that information includes the internet of things equipment access.
Security server can also be indexed by third-party threat information and be held up, to internet of things equipment with the presence or absence of it is abnormal into Row judgement, specifically, as shown in figure 3, the link information of internet of things equipment is sent to security server, the chain by security gateway IP, domain name, the URL etc. that information includes access are met, security server passes through preset according to the link information that security gateway is sent The api interface for threatening information engine, inquires whether the link information is malicious link information, receives and threatens information engine queries The link information whether be malicious link information query result, wherein there are prestige if the link information is marked as Problem is linked to order and control server (command and control server, CNC) or is directly marked as disliking When meaning link information, determine that link information is malicious link information, if the link information of internet of things equipment is malicious link Information, security server think the internet of things equipment there are risk, and security server issues warning information, and sends out to security gateway The blocking instruction for blocking internet of things equipment flow transmission is sent, the flow for making security gateway block the internet of things equipment transmits.
Fig. 7 is a kind of function structure schematic diagram of security gateway provided in an embodiment of the present invention, as shown in fig. 7, safety net Close includes flow collection unit, equipment recognition unit, wireless access points (WirelessAccessPoint, AP) service list Member, instruction receiving unit, data transmission unit, access control unit, intrusion detecting unit etc..Equipment recognition unit, mainly By identifying its device model according to the equipment feature of the internet of things equipment of access, specific equipment feature includes host name Title, device network row MAC Address etc.;Flow collection unit: its major function is the Internet of Things for acquiring access security gateway The real-time traffic of equipment, source IP, destination IP, source port, destination port, application protocol, Connection Time, DNS request, access URL, the information such as the case where data packet are sent;Intrusion detecting unit is mainly measured in real time internet of things equipment, detects whether There is internet of things equipment by abnormal behaviours such as invasion, Brute Force, abnormal login or scannings;Access control unit, for blocking The flow of internet of things equipment transmits, and the flow transmission of internet of things equipment is such as blocked by firewall (iptables);Data are sent Unit, when for by the real-time traffic of internet of things equipment, source IP, destination IP, source port, destination port, application protocol, connection Between, domain name system (Domain Name System, DNS) request, access URL, send the information such as the case where data packet, and enter It invades the warning information that detection unit detects and is sent to security server, provide data for security server and support;Command reception Unit, the instruction issued for receiving security server access control to internet of things equipment;AP service unit, for for Internet of things equipment provides the connection of Wi-Fi or Ethernet, provides network connection for internet of things equipment.
As shown in figure 8, in embodiments of the present invention, security gateway detect internet of things equipment have invaded, violence is broken The abnormal behaviours such as solution, abnormal login or scanning, can directly block the flow of internet of things equipment to transmit, can also be by Internet of Things The abnormal behaviour of equipment reports security server, and the stream for blocking internet of things equipment is determined whether according to the instruction of security server Amount transmission.
Embodiment 9:
Fig. 9 is a kind of safety device provided in an embodiment of the present invention, is applied to security server, described device packet It includes:
It receives and determines mould 91, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding The object feature value of preset flow feature;
Judgment module 92, for judging the object feature value preset flow feature corresponding with the current detection period Whether the difference of predicted characteristics value is less than deviation threshold, wherein the predicted characteristics value is according to before the current detection period Setting quantity history detection cycle correspond to the preset flow feature each history feature value and preset prediction algorithm it is true Fixed;If it is judged that being no, triggering indicating module;
Indicating module 93 refers to for sending the blocking for blocking the internet of things equipment flow to transmit to the security gateway It enables, the flow for making the security gateway block the internet of things equipment transmits.
Preferably, the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
Described device further include:
Receive judgment module 94, for receive the internet of things equipment access that the security gateway is sent IP and/or Domain name;Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, Described in IP and/or domain name white list be that the history IP accessed according to the internet of things equipment and/or history domain name determine; If it is judged that being yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
The reception judgment module 94, if it is corresponding with the current detection period described default to be also used to the object feature value The difference of the predicted characteristics value of traffic characteristic is less than deviation threshold, receives the internet of things equipment that the security gateway is sent Device model;Judge the target flow characteristic value and the IP and/or domain name, if in the device model pre-saved In corresponding traffic characteristic set and IP and/or set of domains;If it is judged that being no, triggering indicating module.
Described device further include:
Enquiry module 95 is received, for receiving the link information for the internet of things equipment that the security gateway is sent, Described in link information include at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL; According to the link information and preset threat information engine, by link information described in the threat information engine queries whether For malicious link information;If query result is yes, triggering reception determining module, if query result is no, triggering instruction mould Block.
Embodiment 10:
Figure 10 is a kind of safety device provided in an embodiment of the present invention, is applied to security gateway, and described device includes:
Sending module 101 makes institute for sending the real-time traffic for the internet of things equipment connecting with itself to security server Security server is stated according to the flow information at internet of things equipment each moment described in the current detection period, determines the Internet of Things The equipment current detection period corresponds to the object feature value of preset flow feature;
Receiving processing module 102 is passed for receiving the blocking internet of things equipment flow that the security server is sent Defeated blocking instruction, blocks the flow of the internet of things equipment to transmit;Wherein, the blocking instruction is that the security server is true The difference of the predicted characteristics value of the fixed object feature value preset flow feature corresponding with the current detection period is not less than inclined It is sent after poor threshold value, the predicted characteristics value is according to the history detection cycle for setting quantity before the current detection period What each history feature value of the corresponding preset flow feature and preset prediction algorithm determined.
Described device further include:
Sending module 103 is identified, for identification the IP and/or domain name of the internet of things equipment access, to the safety clothes Business device sends the IP and/or domain name.
The identification sending module 103, is also used to identify the device model of the internet of things equipment, to the security service Device sends the device model.
The identification sending module 103, specifically for obtaining the equipment feature of the internet of things equipment, according to the equipment The matching relationship collection of feature and the matching relationship comprising device model and equipment feature pre-saved, determines that the Internet of Things is set Standby device model.
The identification sending module 103, is also used to identify the link information of the internet of things equipment, to the security service Device sends the link information, and the link information includes the IP of the internet of things equipment access, domain name, uniform resource locator At least one of URL.
Embodiment 11:
Figure 11 is a kind of security protection system provided in an embodiment of the present invention, the system comprises: include peace as shown in Figure 9 The security server 111 of full protection device and at least one security gateway comprising safety device as shown in Figure 10 112 and at least one internet of things equipment 113 for being connect with the security gateway.
For systems/devices embodiment, since it is substantially similar to the method embodiment, so the comparison of description is simple Single, the relevent part can refer to the partial explaination of embodiments of method.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (21)

1. a kind of safety protecting method, which is characterized in that be applied to security server, which comprises
The real-time traffic information for receiving the internet of things equipment that security gateway is sent, sets according to the Internet of Things in the current detection period The flow information at standby each moment, determines that the internet of things equipment current detection period corresponds to the target signature of preset flow feature Value;
Judging the difference of the predicted characteristics value of the object feature value preset flow feature corresponding with the current detection period is It is no to be less than deviation threshold, wherein the predicted characteristics value is according to the history detection for setting quantity before the current detection period Period correspond to the preset flow feature each history feature value and preset prediction algorithm determine;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety Gateway blocks the flow of the internet of things equipment to transmit.
2. the method as described in claim 1, which is characterized in that the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
3. the method as described in claim 1, which is characterized in that described every according to the internet of things equipment in the current detection period The flow information at a moment, determine the internet of things equipment current detection period correspond to preset flow feature object feature value it Before, the method also includes:
Receive the IP and/or domain name of the internet of things equipment access that the security gateway is sent;
Judge whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein The IP and/or domain name white list are that the history IP accessed according to the internet of things equipment and/or history domain name determine;
If so, carrying out subsequent step;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety Gateway blocks the flow of the internet of things equipment to transmit.
4. method as claimed in claim 3, which is characterized in that if object feature value institute corresponding with the current detection period The difference for stating the predicted characteristics value of preset flow feature is less than deviation threshold, the method also includes:
Receive the device model for the internet of things equipment that the security gateway is sent;
Judge the target flow characteristic value and the IP and/or domain name, if corresponding in the device model pre-saved Traffic characteristic set and IP and/or set of domains in;
If not, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety Gateway blocks the flow of the internet of things equipment to transmit.
5. the method as described in claim 1, which is characterized in that described every according to the internet of things equipment in the current detection period The flow information at a moment, determine the internet of things equipment current detection period correspond to preset flow feature object feature value it Before, the method also includes:
The link information for receiving the internet of things equipment that the security gateway is sent, wherein the link information includes the object The IP of networked devices access, domain name, at least one of uniform resource position mark URL;
According to the link information and preset threat information engine, pass through link information described in the threat information engine queries It whether is malicious link information;
If not, carrying out subsequent step;
If so, sending the blocking instruction for blocking the internet of things equipment flow to transmit to the security gateway, make the safety Gateway blocks the flow of the internet of things equipment to transmit.
6. a kind of safety protecting method, which is characterized in that be applied to security gateway, which comprises
The real-time traffic that the internet of things equipment connecting with itself is sent to security server makes the security server according to current The flow information at internet of things equipment each moment in detection cycle determines that the internet of things equipment current detection period is corresponding The object feature value of preset flow feature;
The blocking instruction for receiving the blocking internet of things equipment flow transmission that the security server is sent, blocks the Internet of Things The flow of net equipment transmits;Wherein, the blocking instruction is that the security server determines the object feature value and current inspection The survey period corresponds to the difference of the predicted characteristics value of the preset flow feature not less than what is sent after deviation threshold, and the prediction is special Value indicative is to correspond to the every of the preset flow feature according to the history detection cycle for setting quantity before the current detection period What a history feature value and preset prediction algorithm determined.
7. method as claimed in claim 6, which is characterized in that the method also includes:
The IP and/or domain name for identifying the internet of things equipment access, send the IP and/or domain name to the security server.
8. the method for claim 7, which is characterized in that the method also includes:
The device model for identifying the internet of things equipment sends the device model to the security server.
9. method according to claim 8, which is characterized in that the device model of the identification internet of things equipment includes:
The equipment feature for obtaining the internet of things equipment, according to the equipment feature and pre-save comprising device model with set The matching relationship collection of the matching relationship of standby feature, determines the device model of the internet of things equipment.
10. method as claimed in claim 6, which is characterized in that the method also includes:
The link information for identifying the internet of things equipment sends the link information, the link letter to the security server Breath includes the IP of internet of things equipment access, domain name, at least one of uniform resource position mark URL.
11. a kind of safety device, which is characterized in that be applied to security server, described device includes:
Determining module is received, the real-time traffic information of the internet of things equipment for receiving security gateway transmission, according to current detection The flow information at internet of things equipment each moment in period determines that the internet of things equipment current detection period is corresponding default The object feature value of traffic characteristic;
Judgment module, the prediction for judging the object feature value preset flow feature corresponding with the current detection period are special Whether the difference of value indicative is less than deviation threshold, wherein the predicted characteristics value is to set number before according to the current detection period The history detection cycle of amount correspond to the preset flow feature each history feature value and preset prediction algorithm determine;Such as Fruit judging result is no, triggering indicating module;
Indicating module makes institute for sending the blocking for blocking the internet of things equipment flow to transmit instruction to the security gateway Stating security gateway blocks the flow of the internet of things equipment to transmit.
12. device as claimed in claim 11, which is characterized in that the preset flow feature comprises at least one of the following:
It sends the period of data packet, send the peak flow of data packet.
13. device as claimed in claim 11, which is characterized in that described device further include:
Judgment module is received, for receiving the IP and/or domain name of the internet of things equipment access that the security gateway is sent;Sentence Break and whether recorded the IP and/or domain name in the corresponding IP of the internet of things equipment and/or domain name white list, wherein the IP And/or domain name white list is that the history IP accessed according to the internet of things equipment and/or history domain name determine;If it is determined that It as a result is yes, triggering reception determining module, if it is judged that being no, triggering indicating module.
14. device as claimed in claim 13, which is characterized in that the reception judgment module, if being also used to the target The difference of the predicted characteristics value of the characteristic value preset flow feature corresponding with the current detection period is less than deviation threshold, receives institute State the device model of the internet of things equipment of security gateway transmission;Judge the target flow characteristic value and the IP and/or Domain name, if in the corresponding traffic characteristic set of the device model and IP and/or set of domains pre-saved;If sentenced Disconnected result is no, triggering indicating module.
15. device as claimed in claim 11, which is characterized in that described device further include:
Enquiry module is received, for receiving the link information for the internet of things equipment that the security gateway is sent, wherein described Link information includes at least one of the IP of internet of things equipment access, domain name, uniform resource position mark URL;According to institute Link information and preset threat information engine are stated, whether is malice by link information described in the threat information engine queries Link information;If query result is yes, triggering reception determining module, if query result is no, triggering indicating module.
16. a kind of safety device, which is characterized in that be applied to security gateway, described device includes:
Sending module makes the safety for sending the real-time traffic for the internet of things equipment connecting with itself to security server Server determines that the internet of things equipment is worked as according to the flow information at internet of things equipment each moment described in the current detection period Preceding detection cycle corresponds to the object feature value of preset flow feature;
Receiving processing module, for receiving the blocking for the blocking internet of things equipment flow transmission that the security server is sent Instruction, blocks the flow of the internet of things equipment to transmit;Wherein, the blocking instruction is that the security server determines the mesh The difference of the predicted characteristics value of the characteristic value preset flow feature corresponding with the current detection period is marked not less than after deviation threshold It sends, the predicted characteristics value is according to the history detection cycle correspondence for setting quantity before the current detection period What each history feature value of preset flow feature and preset prediction algorithm determined.
17. device as claimed in claim 16, which is characterized in that described device further include:
Identify sending module, the IP and/or domain name of the internet of things equipment access, send to the security server for identification The IP and/or domain name.
18. device as claimed in claim 17, which is characterized in that the identification sending module is also used to identify the Internet of Things The device model of net equipment sends the device model to the security server.
19. device as claimed in claim 18, which is characterized in that the identification sending module is specifically used for obtaining the object The equipment feature of networked devices is closed according to the equipment feature and the matching comprising device model and equipment feature pre-saved The matching relationship collection of system, determines the device model of the internet of things equipment.
20. device as claimed in claim 16, which is characterized in that the identification sending module is also used to identify the Internet of Things The link information of net equipment sends the link information to the security server, and the link information includes the Internet of Things The IP of equipment access, domain name, at least one of uniform resource position mark URL.
21. a kind of security protection system, which is characterized in that the system comprises: comprising as described in claim any one of 11-15 The security server of safety device and at least one include such as claim 16-20 described in any item security protections dress The security gateway and at least one internet of things equipment being connect with the security gateway set.
CN201811459368.9A 2018-11-30 2018-11-30 A kind of safety protecting method, apparatus and system Pending CN109347880A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811459368.9A CN109347880A (en) 2018-11-30 2018-11-30 A kind of safety protecting method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811459368.9A CN109347880A (en) 2018-11-30 2018-11-30 A kind of safety protecting method, apparatus and system

Publications (1)

Publication Number Publication Date
CN109347880A true CN109347880A (en) 2019-02-15

Family

ID=65319223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811459368.9A Pending CN109347880A (en) 2018-11-30 2018-11-30 A kind of safety protecting method, apparatus and system

Country Status (1)

Country Link
CN (1) CN109347880A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110839032A (en) * 2019-11-18 2020-02-25 河南牧业经济学院 Internet of things abnormal data identification method and system
CN111131351A (en) * 2018-10-31 2020-05-08 中国移动通信集团广东有限公司 Method and device for confirming model of Internet of things equipment
CN112350974A (en) * 2019-08-07 2021-02-09 中国移动通信集团广东有限公司 Safety monitoring method and device of Internet of things and electronic equipment
CN113037595A (en) * 2021-03-29 2021-06-25 北京奇艺世纪科技有限公司 Abnormal device detection method and device, electronic device and storage medium
CN113452717A (en) * 2021-07-02 2021-09-28 安天科技集团股份有限公司 Method and device for communication software safety protection, electronic equipment and storage medium
WO2021190398A1 (en) * 2020-03-24 2021-09-30 华为技术有限公司 Device model identification method, apparatus and system
CN113472773A (en) * 2021-06-30 2021-10-01 中标慧安信息技术股份有限公司 Illegal data transmission cutting method and system based on intelligent gateway
CN114143734A (en) * 2021-10-22 2022-03-04 广东省电信规划设计院有限公司 Data processing method and device for 5G Internet of things network card flow acquisition
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method
CN118118278A (en) * 2024-04-29 2024-05-31 江苏天泽智联信息技术有限公司 Internet of things gateway safety protection detection method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
US20180234453A1 (en) * 2017-02-15 2018-08-16 Cisco Technology, Inc. Prefetch intrusion detection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack
US20180234453A1 (en) * 2017-02-15 2018-08-16 Cisco Technology, Inc. Prefetch intrusion detection system
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131351A (en) * 2018-10-31 2020-05-08 中国移动通信集团广东有限公司 Method and device for confirming model of Internet of things equipment
CN111131351B (en) * 2018-10-31 2022-09-27 中国移动通信集团广东有限公司 Method and device for confirming model of Internet of things equipment
CN112350974A (en) * 2019-08-07 2021-02-09 中国移动通信集团广东有限公司 Safety monitoring method and device of Internet of things and electronic equipment
CN110839032A (en) * 2019-11-18 2020-02-25 河南牧业经济学院 Internet of things abnormal data identification method and system
WO2021190398A1 (en) * 2020-03-24 2021-09-30 华为技术有限公司 Device model identification method, apparatus and system
CN113037595A (en) * 2021-03-29 2021-06-25 北京奇艺世纪科技有限公司 Abnormal device detection method and device, electronic device and storage medium
CN113037595B (en) * 2021-03-29 2022-11-01 北京奇艺世纪科技有限公司 Abnormal device detection method and device, electronic device and storage medium
CN113472773A (en) * 2021-06-30 2021-10-01 中标慧安信息技术股份有限公司 Illegal data transmission cutting method and system based on intelligent gateway
CN113472773B (en) * 2021-06-30 2022-08-19 中标慧安信息技术股份有限公司 Illegal data transmission cutting method and system based on intelligent gateway
CN113452717A (en) * 2021-07-02 2021-09-28 安天科技集团股份有限公司 Method and device for communication software safety protection, electronic equipment and storage medium
CN114143734A (en) * 2021-10-22 2022-03-04 广东省电信规划设计院有限公司 Data processing method and device for 5G Internet of things network card flow acquisition
CN115913614A (en) * 2022-09-19 2023-04-04 上海辰锐信息科技有限公司 Network access device and method
CN118118278A (en) * 2024-04-29 2024-05-31 江苏天泽智联信息技术有限公司 Internet of things gateway safety protection detection method and system

Similar Documents

Publication Publication Date Title
CN109347880A (en) A kind of safety protecting method, apparatus and system
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
US20220225101A1 (en) Ai cybersecurity system monitoring wireless data transmissions
EP2725512B1 (en) System and method for malware detection using multi-dimensional feature clustering
US7672283B1 (en) Detecting unauthorized wireless devices in a network
CN108429651B (en) Flow data detection method and device, electronic equipment and computer readable medium
Noguchi et al. Device identification based on communication analysis for the internet of things
CN111245793A (en) Method and device for analyzing abnormity of network data
EP1741223B1 (en) Method, apparatus and computer program for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis
CN107579986B (en) Network security detection method in complex network
CN107135183A (en) A kind of data on flows monitoring method and device
CN107276983A (en) A kind of the traffic security control method and system synchronous with cloud based on DPI
CN110719286A (en) Network optimization scheme sharing system and method based on big data
EP4044505B1 (en) Detecting botnets
CN114189361B (en) Situation awareness method, device and system for defending threat
Rosenthal et al. ARBA: Anomaly and reputation based approach for detecting infected IoT devices
EP4033717A1 (en) Distinguishing network connection requests
CN114338171A (en) Black product attack detection method and device
CN111131203B (en) External connection monitoring method and device
CN112929369A (en) Distributed real-time DDoS attack detection method
Zhao et al. Research of intrusion detection system based on neural networks
CN109729084B (en) Network security event detection method based on block chain technology
Seo et al. Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling
CN114844722B (en) Network security detection method based on domain name
US11184369B2 (en) Malicious relay and jump-system detection using behavioral indicators of actors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190215

RJ01 Rejection of invention patent application after publication