CN109450927B - System and method for quickly identifying access camera - Google Patents

System and method for quickly identifying access camera Download PDF

Info

Publication number
CN109450927B
CN109450927B CN201811494374.8A CN201811494374A CN109450927B CN 109450927 B CN109450927 B CN 109450927B CN 201811494374 A CN201811494374 A CN 201811494374A CN 109450927 B CN109450927 B CN 109450927B
Authority
CN
China
Prior art keywords
onvif
alarm
camera
detection module
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811494374.8A
Other languages
Chinese (zh)
Other versions
CN109450927A (en
Inventor
罗治华
何俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Infogo Tech Co ltd
Original Assignee
Hangzhou Infogo Tech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Infogo Tech Co ltd filed Critical Hangzhou Infogo Tech Co ltd
Priority to CN201811494374.8A priority Critical patent/CN109450927B/en
Publication of CN109450927A publication Critical patent/CN109450927A/en
Application granted granted Critical
Publication of CN109450927B publication Critical patent/CN109450927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Alarm Systems (AREA)

Abstract

The invention relates to the technical field of Internet of things safety, and discloses a system for quickly identifying an access camera, which is characterized by comprising the following steps: the system comprises an onvif broadcast detection module, an onvif directional detection module and an alarm module; the onvif broadcast detection module is used for sending out an onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending out alarm information; the onvif directional detection module is used for detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node; and the alarm module is used for receiving the alarm message and sending the alarm message to the server. Compared with a type identification scheme realized by utilizing the inquiry of the nmap and the sniffer, the method can inquire more attribute data compared with the nmap and the sniffer, and reduces the time complexity by at least several times, so that the method can quickly discover the security risk of the false camera access of non-camera equipment.

Description

System and method for quickly identifying access camera
Technical Field
The invention relates to the technical field of Internet of things safety, in particular to a system and a method for quickly identifying an access camera.
Background
The internet of things has become a hotspot of current network development, and an internet of things network composed of cameras is an important component of public safety and national safety. Since most of the cameras are installed and operated in an open environment, the physical interfaces of the cameras connected to the network are often unattended, and the cameras are easily invaded into the network directly through the interfaces by external equipment. For example, a PC from the outside can connect to the network only by changing to the same ip and mac addresses as the cameras, and can access various data on other cameras, including calling sensitive video materials, accessing and downloading video data, and the like.
The existing technical scheme for solving the problems is that a terminal type identification system generally acquires various attribute data of terminal equipment through a remote tool, forms a type fingerprint and then matches the type fingerprint with the equipment type in an existing type library, and if the type fingerprint is matched with a PC or other equipment, the equipment is identified as the corresponding equipment type. When the original equipment type corresponding to a certain ip is found to be a camera and the existing equipment type is PC, the event that the counterfeit camera is accessed is defined to occur, and a safety alarm is triggered.
The main implementation flow of the type identification system is as follows:
1. calling a rule forest module, and searching a first type rule tree submodule in the module;
2. when certain attribute data of the equipment is matched with a root node rule of a certain type of rule tree, entering a child node branch corresponding to the rule to continuously perform matching of a secondary rule;
3. when certain attribute data of the equipment is matched with a certain secondary rule, entering a child node branch corresponding to the secondary rule to continuously perform matching of the tertiary rule;
4. recursively matching the child node rules, and entering 5 if the leaf nodes of the rule tree of the type are reached; otherwise, returning to 1, and continuously searching a next type rule tree submodule;
5. finding out corresponding equipment type data in the leaf node, and identifying the equipment as the equipment type;
in the existing type recognition system, remote interrogation tools such as nmap, sniffer and the like are mainly adopted. Since most terminals in the conventional network are PCs, the type identification system defaults to first search the rule tree submodules of the PC type, and when the PC types are not matched, then search the rule tree submodules of other types (such as the types of servers and the like), and so on. In this case, to determine that 1 device is not a camera, the type of the device needs to be determined first, and therefore, in the worst case, all rule tree sub-modules in the system may need to be traversed to determine the final type, where N is the depth of the rule tree and M is the number of the type rule trees; in the L-camera environment, the time complexity of the existing method is O (N × M × L).
Patent numbers: CN200710124567.X discloses a dynamic identification method for embedded device camera software, which can realize normal operation of a camera without updating a camera driver of the device after any one of the cameras can be replaced at will, but cannot realize a complicated type problem.
Because of the numerous types of terminals in the existing information system, the number of the type rule tree sub-modules is often more than 1000, and even if only 1 second is needed for searching one rule tree sub-module, the whole system needs more than 15 minutes after traversing. Considering a network comprising 1 million cameras, all device types in the network are determined, which will be in excess of 4 months (3000 hours). Even if multi-threading is adopted for calculation, time efficiency in real application needs to be calculated in days, which often leaves a large security hole for hackers with malicious access.
Disclosure of Invention
Aiming at the defects of long searching time and large potential safety hazard in the prior art, the invention provides a system and a method for quickly identifying an access camera.
In order to solve the above technical problems, the present invention is solved by the following technical solutions.
A system for rapidly identifying an access camera comprises an onvif broadcast detection module, an onvif directional detection module and an alarm module;
the onvif broadcast detection module is used for sending out an onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending out alarm information;
the onvif directional detection module is used for detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node;
and the alarm module is used for receiving the alarm message and sending the alarm message to the server.
Preferably, the system further comprises a complexity calculating module, wherein the complexity calculating module is used for inquiring all the IPs according to the response time in all the local area networks after the broadcast sent by the onvif broadcast detection module and the onvif directional detection module, acquiring the number of all the IP addresses and the depth of all the onvif rule trees, and calculating the time complexity.
Preferably, the matching rule is: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm module.
Preferably, the process of calculating the time complexity is: all IP address counts the depth of all onvif rule trees.
A method for quickly identifying an access camera comprises the following steps:
sending onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending warning information;
detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node.
Preferably, the method further comprises an alarming step for receiving the alarming message and sending the alarming message to the server.
Preferably, the matching rule is: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm step.
Due to the adoption of the technical scheme, the invention has the remarkable technical effects that: compared with a type identification scheme realized by using the inquiry of nmap and sniffer, the system of the invention directly adopts the international standard camera discovery protocol onvif to realize the inquiry of an ip address, and can inquire more attribute data compared with nmap and sniffer; in addition, the system of the invention defaults to use the onvif rule tree for matching, and compared with a system which uses a PC type rule tree submodule for matching firstly, the time complexity is reduced by at least multiple times (constant time level identification can be realized at the fastest speed), so that the security risk of false camera access of non-camera equipment can be found quickly.
Drawings
FIG. 1 is a schematic diagram of a system and method for quickly identifying an access camera according to the present invention;
FIG. 2 is a schematic diagram illustrating operation of an alarm module in the system and method for quickly identifying an access camera according to the present invention;
fig. 3 is a schematic diagram of an identification result in the system and method for quickly identifying the access camera according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Example 1
As shown in fig. 1, a system for quickly identifying an access camera includes an onvif broadcast detection module, an onvif directional detection module, and an alarm module;
the onvif broadcast detection module is used for sending out an onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending out alarm information;
the onvif directional detection module is used for detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node;
and the alarm module is used for receiving the alarm message and sending the alarm message to the server.
The system also comprises a complexity calculation module, wherein the complexity calculation module is used for inquiring all IPs according to the response time in all local area networks after broadcasting sent by the onvif broadcasting detection module and the onvif directional detection module, acquiring the number of all IP addresses and the depth of all onvif rule trees, and calculating the time complexity.
The matching rule is as follows: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm module.
The process of calculating the time complexity is as follows: all IP address counts the depth of all onvif rule trees.
Compared with a type identification scheme realized by using the inquiry of nmap and sniffer, the system of the invention directly adopts the international standard camera discovery protocol onvif to realize the inquiry of an ip address, and can inquire more attribute data compared with nmap and sniffer; in addition, the system of the invention defaults to use the onvif rule tree for matching, and compared with a system which uses a PC type rule tree submodule for matching firstly, the time complexity is reduced by at least multiple times (constant time level identification can be realized at the fastest speed), so that the security risk of false camera access of non-camera equipment can be found quickly.
Example 2
As shown in fig. 1, a method for quickly identifying an access camera includes the following steps:
sending onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending warning information;
detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node.
And the method also comprises an alarm step for receiving the alarm message and sending the alarm message to the server.
The matching rule is as follows: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm step.
Example 3
As shown in fig. 2 and 3, a system for quickly identifying an access camera includes 2 onvif broadcast detection modules, an onvif directional detection module, and an alarm module;
2 onvif broadcast detection modules OB1、OB2Put into the specified 2B type sections B1、B2The method is used for respectively carrying out broadcast polling detection with the interval time of 5s on two B-type segments, and can quickly identify whether a camera false event occurs in 65535 ip addresses of a local area network;
1 onvif directional detection module Op1Setting the network route in any position where it can reach the detected network route, detecting IP addresses of all network sections where the network route can reach according to unicast message of onvif protocol in 5s as a period, generating onvif rule tree with 4-layer structure, matching delay<1s;
And the alarm module is used for receiving alarm messages of the 2 onvif broadcast detection modules and the 1 onvif directional detection module and sending the alarm to a designated responsible person in a mail mode.
When class B segment B1Wherein, a PC computer is accessed by a false camera, and an onvif broadcasting module OB1Finding the false access event within 5s at the latest through broadcast polling, and sending alarm information to an alarm server;
when a PC false cap camera is accessed in the remote local area network C, the onvif directional detection module Op1The counterfeit access event will be discovered within the latest 6s by directional probe polling and alarm information will be sent to the alarm server.
And after receiving the alarm from any module of the onvif, the alarm server forwards the alarm message to a mailbox of a safety responsible person, thereby completing the detection, discovery and alarm processes of the event.
In summary, the above-mentioned embodiments are only preferred embodiments of the present invention, and all equivalent changes and modifications made in the claims of the present invention should be covered by the claims of the present invention.

Claims (7)

1. The utility model provides a system for quick discernment inserts camera which characterized in that: the system comprises an onvif broadcast detection module, an onvif directional detection module and an alarm module;
the onvif broadcast detection module is used for sending out an onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending out alarm information;
the onvif directional detection module is used for detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node;
and the alarm module is used for receiving the alarm message and sending the alarm message to the server.
2. The system for rapidly identifying the access camera as claimed in claim 1, wherein: the system also comprises a complexity calculation module, wherein the complexity calculation module is used for inquiring all IPs according to the response time in all local area networks after broadcasting sent by the onvif broadcasting detection module and the onvif directional detection module, acquiring the number of all IP addresses and the depth of all onvif rule trees, and calculating the time complexity.
3. The system for rapidly identifying the access camera as claimed in claim 1, wherein: the matching rule is as follows: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm module.
4. The system for rapidly identifying the access camera as claimed in claim 2, wherein: the process of calculating the time complexity is as follows: all IP address counts the depth of all onvif rule trees.
5. A method for quickly identifying an access camera is characterized by comprising the following steps:
sending onvif broadcast to all ip addresses in the local area network, identifying the ip addresses which do not return the equipment service address as non-camera equipment and sending warning information;
detecting an ip address of a cross-network segment according to a unicast message of an onvif protocol, generating an onvif rule tree, and performing matching identification on a matching rule of a root node.
6. The method for rapidly identifying the access camera according to claim 5, wherein: and the method also comprises an alarm step for receiving the alarm message and sending the alarm message to the server.
7. The method for rapidly identifying the access camera according to claim 6, wherein: the matching rule is as follows: continuing to recursively match the child nodes downwards until the leaf nodes are matched if the root nodes are matched; and if the root node or the leaf node is not matched in the matching process, sending an alarm message to an alarm step.
CN201811494374.8A 2018-12-07 2018-12-07 System and method for quickly identifying access camera Active CN109450927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811494374.8A CN109450927B (en) 2018-12-07 2018-12-07 System and method for quickly identifying access camera

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811494374.8A CN109450927B (en) 2018-12-07 2018-12-07 System and method for quickly identifying access camera

Publications (2)

Publication Number Publication Date
CN109450927A CN109450927A (en) 2019-03-08
CN109450927B true CN109450927B (en) 2021-01-15

Family

ID=65558321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811494374.8A Active CN109450927B (en) 2018-12-07 2018-12-07 System and method for quickly identifying access camera

Country Status (1)

Country Link
CN (1) CN109450927B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949844A (en) * 2021-09-25 2022-01-18 北京天融信网络安全技术有限公司 Network camera identification method, device and system based on ONVIF protocol standard

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601959A (en) * 2015-01-29 2015-05-06 浙江宇视科技有限公司 Video monitoring system and method for rapidly accessing web camera
CN106657905A (en) * 2016-12-12 2017-05-10 深圳市中博睿存科技有限公司 Video capture method and device based on onvif standard

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101348617B1 (en) * 2010-11-22 2014-01-08 한국전자통신연구원 Surveillance systemme using wireless network, master sensor node and server apparatus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601959A (en) * 2015-01-29 2015-05-06 浙江宇视科技有限公司 Video monitoring system and method for rapidly accessing web camera
CN106657905A (en) * 2016-12-12 2017-05-10 深圳市中博睿存科技有限公司 Video capture method and device based on onvif standard

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于ONVIF的视频监控管理系统快速开发方法;周慎;《仪表技术》;20141231;全文 *

Also Published As

Publication number Publication date
CN109450927A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
CN106878262B (en) Message detection method and device, and method and device for establishing local threat information library
US20180145999A1 (en) Method and system for network intrusion detection based on geographical information
CN104601557B (en) A kind of malicious websites means of defence and system based on software defined network
US8806632B2 (en) Systems, methods, and devices for detecting security vulnerabilities in IP networks
US6415321B1 (en) Domain mapping method and system
US20200314107A1 (en) Systems, methods, and media for securing internet of things devices
US20100125663A1 (en) Systems, methods, and devices for detecting security vulnerabilities in ip networks
US20030005092A1 (en) Method for locating and recovering devices which are connected to the internet or to an internet-connected network
CN110138770B (en) Threat information generation and sharing system and method based on Internet of things
CN110677384B (en) Phishing website detection method and device, storage medium and electronic device
Ammar et al. Network-protocol-based iot device identification
US11537751B2 (en) Using machine learning algorithm to ascertain network devices used with anonymous identifiers
US9264440B1 (en) Parallel detection of updates to a domain name system record system using a common filter
CN111123388B (en) Detection method and device for room camera device and detection equipment
CN112653669A (en) Network terminal security threat early warning method and system and network terminal management device
CN113507461B (en) Network monitoring system and network monitoring method based on big data
CN109450927B (en) System and method for quickly identifying access camera
CN114124837A (en) Asset information discovery system and method based on passive flow
CN113259349A (en) Monitoring method and device for rail transit control network
CN106899651A (en) Communication processing method, system and network communicating system
CN114972827A (en) Asset identification method, device, equipment and computer readable storage medium
CN117336049A (en) Access control method, device, equipment and medium of video acquisition equipment
CN113794731B (en) Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack
CN112564928B (en) Service classification method and device and Internet system
CN110830454B (en) Security equipment detection method for realizing TCP protocol stack information leakage based on ALG protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant