CN110572372B - Method and device for detecting intrusion of Internet of things equipment - Google Patents
Method and device for detecting intrusion of Internet of things equipment Download PDFInfo
- Publication number
- CN110572372B CN110572372B CN201910767588.6A CN201910767588A CN110572372B CN 110572372 B CN110572372 B CN 110572372B CN 201910767588 A CN201910767588 A CN 201910767588A CN 110572372 B CN110572372 B CN 110572372B
- Authority
- CN
- China
- Prior art keywords
- internet
- command
- flow
- data stream
- character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention discloses a method and a device for detecting intrusion of Internet of things equipment, wherein the method comprises the following steps: acquiring session flow generated during interaction between the Internet of things equipment and login equipment; analyzing the conversation flow and determining a echoing mode of the conversation flow; if the conversation flow is in a single character echo mode, the Internet of things equipment is not invaded; if the conversation flow is in a multi-character echo mode, the equipment of the Internet of things has potential invasion risks; when the IOT equipment has potential intrusion risk, judging whether an output ending command in a random character form exists in the conversation flow; if the session flow has an output ending command in a random character form, the Internet of things equipment has an intrusion risk. The method analyzes the conversation flow, determines the echoing mode of the conversation flow and the form of the output ending command, and finds whether the corresponding Internet of things equipment is invaded, thereby avoiding information leakage, preventing other Internet of things equipment from being infected and improving network security.
Description
Technical Field
The invention belongs to the technical field of Internet of things security, and particularly relates to a method and a device for detecting intrusion of Internet of things equipment.
Background
The Internet of Things (Internet of Things, abbreviated as IOT) is defined by connecting all articles with the Internet through information sensing equipment such as radio frequency identification (rfid) and the like to realize intelligent identification and management. The internet of things is applied to the fusion of intelligent perception, recognition technology, pervasive computing and ubiquitous network, and is called as the third wave of development of the world information industry after computers and the internet. The internet of things is regarded as an application expansion of the internet, and comprises a sensor, a mobile terminal, an industrial system, a building control system, a household intelligent facility, a video monitoring system, various assets with RFID (Radio Frequency Identification, abbreviated as RFID) attached, and the like.
In recent years, malicious programs have rapidly expanded from traditional PCs (Personal computers, abbreviated as PCs) and server terminals to internet of things equipment terminals, and the symbolic events are outbreaks of internet of things botnet Mirai and open sources of Mirai codes. After Mirai code is sourced, dozens of varieties appear in a few months, and malicious codes of the varieties are developed secondarily based on Mirai original codes and are expanded in functions or infection modes. The devices infected by the Trojan horse viruses of the Internet of things are mainly household routers and IP cameras at the present stage, and then various embedded devices, network management devices, linux servers and the like exposed on the Internet are exposed, and after the devices of the Internet of things are invaded, a manager cannot find out whether the corresponding devices of the Internet of things are invaded in time, so that information leakage is caused, and other devices of the Internet of things can be infected.
In view of the above, overcoming the drawbacks of the prior art is an urgent problem in the art.
Disclosure of Invention
Aiming at the defects or improvement requirements of the prior art, the invention provides a method and a device for detecting the intrusion of the equipment of the Internet of things, aiming at discovering whether the corresponding equipment of the Internet of things is intruded or not in time by the method, avoiding information leakage and preventing other equipment of the Internet of things from being infected, thereby improving network security.
To achieve the above object, according to an aspect of the present invention, there is provided a method for detecting intrusion on an internet of things device, the method including:
acquiring session flow generated during interaction between the Internet of things equipment and login equipment;
analyzing the conversation flow and determining a playback mode of the conversation flow;
if the conversation flow is in a single character echo mode, the Internet of things equipment is not invaded; if the session flow is in a multi-character echo mode, the equipment of the Internet of things has a potential intrusion risk;
when the Internet of things equipment has a potential intrusion risk, determining whether an output ending command in a random character form exists in the conversation flow;
and if the session flow has an output ending command in a random character form, the Internet of things equipment has an intrusion risk.
Preferably, the method further comprises:
if the output ending command in the form of random characters does not exist in the session flow, the equipment of the Internet of things has a potential intrusion risk;
when the Internet of things equipment has a potential intrusion risk, determining whether a file downloading command exists in the session flow;
if the session flow has a file downloading command, the Internet of things equipment has an intrusion risk;
and if the session flow does not have a file downloading command, the Internet of things equipment does not have an intrusion risk.
Preferably, the file download command is an echo command, and determining whether the file download command exists in the session traffic includes:
determining whether an echo command for specifying parameters exists in the session traffic, wherein the echo command for specifying parameters comprises echo-ne, echo-en, echo-n-e or echo-e-n;
if the echo command of the specified parameter exists in the session flow, acquiring the format of the echo command of the specified parameter;
if the echo command of the specified parameter carries byte data of the specified data system, and the byte data of each specified data system starts with \ x or \0, a file downloading command exists in the session flow.
Preferably, the method further comprises:
if a file downloading command exists in the session flow, acquiring a plurality of segment data contained in the file downloading command and a redirection character carried by each segment data;
and integrating the segmented data according to the redirector carried by each segmented data to obtain an intrusion file downloaded to the Internet of things equipment so as to break the intrusion file, analyzing the intrusion file and further improving the defense strategy of the Internet of things equipment according to the intrusion file.
Preferably, the determining whether the file download command exists in the session traffic includes:
acquiring the number of file downloading commands in the session flow;
judging whether the number of file downloading commands in the session flow is larger than a preset number threshold value or not;
if so, calibrating that a file downloading command exists in the session flow; if not, the file downloading command does not exist in the conversation flow.
Preferably, the session traffic is session traffic based on telnet protocol, analyzing the session traffic, and determining the echo mode of the session traffic includes:
analyzing the session flow to respectively obtain a first data stream sent by the login equipment to the Internet of things equipment and a second data stream sent by the Internet of things equipment to the login equipment;
judging whether the characters in the first data stream are the same as the characters in the second data stream or not according to the flow in the same TCP connection;
if the two data streams are the same, acquiring the character length of a load part in the first data stream and the second data stream, if the character length of the load part is one byte, the conversation flow is in a single-character echo mode, and if the character length of the load part is more than one byte, the conversation flow is in a multi-character echo mode.
Preferably, the obtaining of the character length of the load portion in the first data stream and the second data stream, if the character length of the load portion is one byte, the session traffic is in a single-character echo mode, and if the character length of the load portion is greater than one byte, the session traffic is in a multi-character echo mode includes:
acquiring the character lengths of the load parts in the first data stream and the second data stream, and counting the number of the load parts which meet the character length of one byte in the first data stream and the second data stream if the character length of the load parts is one byte;
and if the number of load parts with the character length of one byte in the first data stream and the second data stream is larger than a preset number threshold, the conversation flow is in a single-character echo mode.
Preferably, when the internet of things device has a potential intrusion risk, the determining whether the output end command in the form of the random character exists in the session traffic includes:
analyzing the session flow to respectively obtain a third data stream sent by the login equipment to the Internet of things equipment and a fourth data stream sent by the Internet of things equipment to the login equipment;
determining whether at least two commands exist in the third data stream, and if at least two commands exist in the third data stream, judging whether a last command carries a random character;
if the last command carries a random character, judging whether response traffic aiming at the random character exists in the fourth data stream;
if the fourth data stream has a response flow for the random character, an output ending command in the form of the random character exists in the session flow.
Preferably, when the internet of things device has a potential intrusion risk, determining whether an output end command in the form of a random character exists in the session traffic includes:
when the Internet of things equipment has a potential intrusion risk, acquiring the number of output ending commands in a random character form in the session flow;
judging whether the number of output ending commands in the form of random characters in the session flow is greater than a preset number threshold value or not;
if so, calibrating an output ending command with a random character form in the conversation flow; if not, the output ending command in the form of the random character does not exist in the conversation flow is calibrated.
According to another aspect of the present invention, there is provided a detection apparatus comprising at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor programmed to perform the method of the present invention.
Generally, compared with the prior art, the technical scheme of the invention has the following beneficial effects: the invention provides a method and a device for detecting intrusion of Internet of things equipment, wherein the method comprises the following steps: acquiring session flow generated during interaction between the Internet of things equipment and login equipment; analyzing the conversation flow and determining a echoing mode of the conversation flow; if the conversation flow is in a single character echo mode, the Internet of things equipment is not invaded; if the conversation flow is in a multi-character echo mode, the equipment of the Internet of things has potential invasion risks; when the IOT equipment has potential intrusion risk, judging whether an output ending command in a random character form exists in the conversation flow; if the session flow has an output ending command in a random character form, the Internet of things equipment has an intrusion risk. Because the normal conversation flow and the malicious conversation flow have difference in the echoing mode and the output ending command form, the method analyzes the conversation flow, determines the echoing mode of the conversation flow and the output ending command form, and determines whether the equipment of the Internet of things is invaded or not according to the echoing mode and the output ending command form. By the method, whether the corresponding Internet of things equipment is invaded or not can be found in time, information leakage is avoided, other Internet of things equipment is prevented from being infected, and therefore network security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a method for detecting intrusion on an internet of things device according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of another method for detecting intrusion on an internet of things device according to an embodiment of the present invention;
fig. 3 is a schematic flow model diagram of normal session flow according to an embodiment of the present invention;
fig. 4 is a schematic flow model diagram of malicious session traffic according to an embodiment of the present invention;
FIG. 5 is a flow model diagram of another normal session flow according to an embodiment of the present invention;
fig. 6 is a schematic traffic model diagram of another malicious session traffic according to an embodiment of the present invention;
FIG. 7 is a flow model diagram of another normal session flow according to an embodiment of the present invention;
fig. 8 is a traffic model diagram of another malicious session traffic according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1:
in the research aiming at the intrusion of the Internet of things, the inventor discovers that the malicious programs of the Internet of things have unique characteristics in the aspects of infection methods, propagation modes, network communication and the like by analyzing a large number of malicious programs of the Internet of things botnet, and the intercepted traffic is analyzed and detected based on the characteristics, so that the equipment of the Internet of things invaded by the malicious programs can be identified.
Referring to fig. 1, a method for detecting intrusion of an internet of things device according to the embodiment is specifically described, where the method includes the following steps:
step 10: and acquiring session flow generated during interaction between the Internet of things equipment and the login equipment. The IOT equipment (IOT equipment) comprises a router, an IP camera, a sensor, a mobile terminal, an industrial system, a building control system, a household intelligent facility, a video monitoring system and the like.
In an actual application scene, the internet of things equipment and the login equipment generally interact through a Telnet protocol, the currently discovered Trojan horse infection of the internet of things is mainly cracked through brute force aiming at the Telnet protocol, once the cracking is successful, a Telnet session is established, and all subsequent detection and infection operations are completed in the Telnet session. The Telnet protocol is a relatively special protocol, and is mainly applied to an interactive scene, in other words, user interaction is required, the Telnet protocol is not suitable for automatic operation without user interaction, but the Trojan horse virus needs to use the Telnet protocol for automatic invasion infection, so that some special settings are required, or a special mode is used for using the Telnet, and the purpose of automatic invasion infection can be achieved.
In this embodiment, session traffic generated when the internet of things device and the login device interact with each other may be obtained, where the session traffic includes data streams initiated by the login device to the internet of things device and also includes data streams responded by the internet of things device to the login device, and the data streams may be TCP data streams.
In this embodiment, the overall communication model relates to the internet of things device and the login device, wherein the internet of things device is a server side, and the login device is a client side. For example, in an actual scenario, a hacker logs in from a login device to an internet of things device, and the login method may be through a telnet protocol, where a typical login device is a linux server (although the login device is called a linux server, it is actually a linux operating system, and actually does not mean that the login device is located at a server in the entire communication model, and on the contrary, the login device is located at a client), and a typical internet of things device is a router. The login device can also be understood as a login client, and a common login client is generally a telnet client or a program; the login client may be running on a linux system or a windows system.
Step 11: and analyzing the conversation flow and determining a playback mode of the conversation flow.
In an actual application scenario, a telnet protocol-based session flow generated by an internet of things botnet and a telnet protocol-based session flow have a larger difference in a playback mode, and the playback mode of the session flow can be determined by analyzing the session flow so as to determine whether the internet of things device is invaded by a malicious program.
Step 12: if the conversation flow is in a single character echo mode, the Internet of things equipment is not invaded; and if the session flow is in a multi-character echo mode, the equipment of the Internet of things has potential intrusion risks.
When the IOT equipment has a potential intrusion risk, the IOT equipment can be marked as a key observation object so as to carry out further monitoring.
In an actual application scenario, normal conversation traffic can perform single-character echoing on an input command, and malicious conversation traffic cannot perform single-character echoing on the input command. For example, in a typical usage scenario of Telnet protocol, such as user login, a user needs to input a user name and a password, and when the user inputs the user name "admin", it is found that each time a letter is typed on the keyboard, the letter will be displayed in the session window of Telnet. From the perspective of the user, it seems that the input of the user is directly displayed in the window, but from the perspective of the background, the process is complex, firstly, the letter "a" typed by the user on the keyboard of the client (login device) is transmitted to the server (internet of things device), then the server transmits the letter "a" to the client, and then the client displays the letter "a" transmitted by the server on the window of the client. The same flow occurs for each letter when the user enters the user name "admin", as shown in FIG. 3.
S represents a Server (Server end), C represents a Client (Client end), and a traffic model generated when a real user logs in an account based on a telnet protocol is as follows: c- > S: a, S- > C: a, C- > S: d, S- > C: d, C- > S: m, S- > C: m, C- > S: i, S- > C: i, C- > S: n, S- > C: n, namely, when the real user logs in the account, the server displays the single character back.
The traffic model generated when a hacker logs in an account based on telnet protocol is as follows: c- > S: admin, S- > C: admin, namely, when a hacker logs in automatically through a malicious program, the server side displays the whole character string. As shown in fig. 4, C- > S: root, S- > C: root, the server side displays the whole character string.
When a real user logs in an account through a client, the server side needs to respectively perform playback display every time a letter is input due to the fact that a user name is manually input, and the playback display is specified by a telnet protocol; when a hacker controls the client, the hacker is automatically controlled by a program, the whole character string is sent at one time, and the server can also display the received whole character string. Therefore, based on the echoed differences, it can be distinguished which session traffic is generated by automatic login and which session traffic is generated by manual login, wherein the session traffic generated by automatic login is possibly malicious behavior generated by botnet.
In this embodiment, if the session traffic is in the single-character echo mode, the internet of things device is not intruded, and if the session traffic is in the multi-character echo mode, the internet of things device has a potential intrusion risk.
Step 13: and when the equipment of the Internet of things has a potential intrusion risk, determining whether an output ending command in a random character form exists in the conversation flow.
When the internet of things equipment has a potential intrusion risk, the session flow needs to be further analyzed, so that whether the internet of things equipment is intruded or not is further determined according to the difference between the normal session flow and the malicious session flow.
In an actual application scene, because the telnet communication protocol is specially designed for an interactive scene, under a normal condition, after a user executes a command, the user can see the output of the command, so that the user can know that the previous command is finished and continue the next operation; however, when a hacker uses a program to automatically log in the device, the hacker cannot use the naked eye to observe the command output as if the hacker were a real person, so some method is needed to determine that the previous command has been executed and the next command can be sent.
Currently, the typical method is: when the command is executed, a special command is spliced behind the command, error information can be printed out due to the fact that the last special command does not exist, and the last command is judged to be executed completely by detecting the error information. For example, the special command may be word-defined, generally random characters are used as the special command, and a random combination of meaningless capital letters is generally selected for searching. Using "ECCHI" as a special command in the following example, the actual session information is as follows: c- > S:/bin/busy box ps; (iii) bin/busy ECCHI, S- > C:/bin/busy ps; bin/busy ECCHI (output of ps) ECCHI applet: not found, as shown in FIG. 6.
When a real user logs in, telnet traffic models are completely different, and the detection of the end of output by using a special command string does not exist. As shown in fig. 5, the output receiving command executed is: "cd/tmp".
Step 14: and if the session flow has an output ending command in a random character form, the Internet of things equipment has an intrusion risk.
In view of the foregoing analysis, when there is a potential intrusion risk in the internet of things device, it is determined whether an output end command in the form of a random character exists in the session traffic.
In this embodiment, because the normal session traffic and the malicious session traffic have a difference in the echoing mode and the output ending command form, the method of the present invention analyzes the session traffic, determines the echoing mode of the session traffic and the output ending command form, and thus determines whether the internet of things device is invaded according to the echoing mode and the output ending command form. By the method, whether the corresponding Internet of things equipment is invaded or not can be found in time, information leakage is avoided, other Internet of things equipment is prevented from being infected, and therefore network security is improved.
In an actual application scenario, a third point difference still exists between malicious session traffic and normal session traffic, and in order to improve detection accuracy, the session traffic can be further detected based on the third point difference. Referring to fig. 2, the following steps are also included after step 14:
step 15: and if the output ending command in the form of random characters does not exist in the session flow, the equipment of the Internet of things has a potential intrusion risk.
Step 16: and when the equipment of the Internet of things has the potential intrusion risk, determining whether a file downloading command exists in the session flow.
In an actual application scenario, malicious traffic can download an intrusion file (malicious file) to the internet of things device by using a file download command, and normal manual traffic does not have the file download command. Generally, tools such as wget, curl, ftp or tftp can be used to download a file to a device, but the internet of things device is special, and there is a possibility that the downloading tool is not available, and an echo command is needed to perform an operation of downloading the file. In an alternative embodiment, the file download command may be an echo command, and the intrusion file is downloaded to the internet of things device through the echo command.
In one embodiment, the traffic model of the echo-based file download command is: c- > S, echo-ne '\ x7f \ x45\ x 4c.' > filename; the complex is characterized in that the complex comprises/bin/busy ECCHI, S- > C, echo-ne '\ x7f \ x45\ x 4c.' > filename; bin/busy ECCHI ECCHI applet found in FIG. 7.
And step 17: and if the session flow has a file downloading command, the equipment of the Internet of things has an intrusion risk.
Step 18: and if the session flow does not have a file downloading command, the Internet of things equipment does not have an intrusion risk.
The steps 10 to 14 are the same as the implementation manner in fig. 1, and are not described herein again.
The following describes in detail one of specific implementations of detecting whether the session traffic is in a multi-character playback mode, whether an output end command in a random character form exists in the session traffic, and whether a file download command exists in the session traffic, respectively.
In an optional scheme, the session traffic is a telnet protocol-based session traffic, and with reference to fig. 3 and 4, step 11 specifically includes: it is right the session flow is analyzed, obtain respectively login equipment send to the first dataflow (upstream flow) of thing networking device, and thing networking device send to the second dataflow (downstream flow) of login device, wherein, first dataflow with the second dataflow all can be the data of two directions of the upper and lower line of same TCP (Transmission Control Protocol, abbreviated as TCP) dataflow.
As shown in fig. 3, the first data stream includes characters (a, d, m, i, n) input by the login device when the login device logs in the internet of things device, and the second data stream includes characters (a, d, m, i, n) displayed by the internet of things device for login information of the login device. As shown in fig. 4, the first data stream includes characters (root) input by the login device when the login device logs in the internet of things device, and the second data stream includes characters (root) displayed by the internet of things device for login information of the login device.
For the traffic in the same TCP connection, determining whether the characters in the first data stream are the same as the characters in the second data stream, as shown in fig. 3 and 4, for the traffic in the same TCP connection, the characters in the two data streams are the same; if the two data streams are the same, obtaining the character lengths of the load portions in the first data stream and the second data stream, if the character length of the load portion is one byte (as shown in fig. 3, the character length of the load portions in the first data stream and the second data stream is 1 byte), the session traffic is in a single-character playback mode, and if the character length of the load portion is greater than one byte (as shown in fig. 4, the character length of the load portions in the first data stream and the second data stream is 4 bytes), the session traffic is in a multi-character playback mode.
In an actual application scenario, normal flow is input by one character when a user logs in, and a server side (internet of things device) performs playback by one character, so that when the length of the character of the load part is one byte, the session flow is in a single-character playback mode; malicious traffic is generally completed by an automatic program, a string of characters is input at one time, and a server side (internet of things device) performs playback in the form of a string of characters, so that when the length of the characters of the load part is greater than one byte, the session traffic is in a multi-character playback mode.
In order to reduce false alarm and improve accuracy, in a preferred embodiment, an enhancement condition may be set, and when the session traffic meets the enhancement condition, the session traffic is calibrated to be in a single-character echo mode. Specifically, the character lengths of the load parts in the first data stream and the second data stream are obtained, and if the character length of the load part is one byte, the number of the load parts which meet the character length of one byte in the first data stream and the second data stream is counted; and if the number of the load parts with the character length of one byte in the conversation flow is larger than a preset number threshold, the conversation flow is in a single-character echo mode. The preset number threshold is determined according to actual conditions, for example, the preset number threshold is 2, 4 or other values, and is not specifically limited herein.
In an alternative scheme, with reference to fig. 6, step 13 specifically includes: and analyzing the session flow to respectively obtain a third data flow sent to the Internet of things equipment by the login equipment and a fourth data flow sent to the login equipment by the Internet of things equipment, wherein the fourth data flow is response flow aiming at the third data flow. Determining whether at least two commands exist in the third data stream, and if at least two commands exist in the third data stream, judging whether a last command carries a random character; if the last command carries a random character, judging whether response traffic aiming at the random character exists in the fourth data stream; if the fourth data stream has a response flow for the random character, an output ending command in the form of the random character exists in the session flow.
For example, the last command in the third data stream is: "/bin/busy xxx", where the "XXXX" character is a custom character, typically a random character composed of upper and lower case letters, there is a response flow in the fourth data stream for the "/bin/busy xxx", e.g., the response flow is "XXXX: applet found", where "XXXX" is the random character contained in the last command in the third data stream.
As shown in fig. 6, the last command in the third data stream is: and a "/bin/busy ECCHI", wherein a response flow rate for the "/bin/busy ECCHI" exists in the fourth data stream, wherein the response flow rate is "ECCHI: applet not found". In the course of execution of the malicious program, when the response traffic of "ECCHI: applet found" is detected, it is thus determined that the previous command has been completely executed to execute the next command.
In an actual application scenario, malicious traffic is determined by the random character and response traffic corresponding to the random character, and the previous command is completed, so that the next command is executed, and normal traffic does not have interaction in the form described above.
In order to reduce false alarm and improve accuracy, in a preferred embodiment, an enhancement condition may be set, and when a session traffic meets the enhancement condition, an output end command in the form of a random character in the session traffic is calibrated. Specifically, when the internet of things equipment has a potential intrusion risk, acquiring the number of output ending commands in a random character form in the session flow; judging whether the number of output ending commands in the form of random characters in the session flow is greater than a preset number threshold value or not; if so, calibrating an output ending command with a random character form in the conversation flow; if not, the output ending command in the form of the random character does not exist in the conversation flow is calibrated. The preset number threshold is determined according to actual conditions, and is not specifically limited herein.
In an optional scheme, with reference to fig. 7, the file download command is an echo command, and step 16 specifically includes: determining whether an echo command for specifying parameters exists in the session traffic, wherein the echo command for specifying parameters comprises echo-ne, echo-en, echo-n-e or echo-e-n; if the echo command of the specified parameter exists in the session flow, acquiring the format of the echo command of the specified parameter; if the echo command of the specified parameter carries byte data of the specified data system, and the byte data of each specified data system starts with \ x or \0, a file downloading command exists in the session flow.
The byte data of the designated data system includes hexadecimal byte data and octal byte data, for example, the format of the byte data of the 8 system is: \0NNN byte with octal value NNNs (1to 3digits), the 16-system byte data format is: \\ xHH byte with hexadecimall value HH (1to 2 digits).
When the byte data of the specified data system is hexadecimal byte data, if each hexadecimal byte data starts with \ x, a file downloading command exists in the session flow; when the byte data of the designated data system is the byte data of the data system, if each byte data of the data system starts with \0, the session flow has a file downloading command.
In a practical application scenario, byte data is the content of a downloaded file, i.e., segment data, because each file is composed of a plurality of bytes, and bytes are written into the file in a playback manner based on an echo command. The essence of downloading a file using an echo command is to divide a file into a plurality of data fragments, and then write each data fragment into the file using the echo command. Where echo supports reverse slash controlled character conversion, \ xhh denotes outputting characters according to a hexadecimal ASCII code table, where hh is a two-digit hexadecimal number, and \0nnn denotes outputting characters according to an octal ASCII code table, where NNN is a three-digit octal number.
For example, as shown in fig. 7, the session traffic includes the following traffic models: c- > S, echo-ne '\ x7f \ x45\ x 4c.' > filename; the complex is characterized in that the complex comprises/bin/busy ECCHI, S- > C, echo-ne '\ x7f \ x45\ x 4c.' > filename; bin/busy ECCHI ECCHI applet found where 7f, 45 and 4c are hexadecimal byte data, each starting with \ x.
In an actual application scenario, malicious traffic downloads the intrusion file to the internet of things device through the file downloading command, and a file downloading command does not exist in normal traffic, so that if the traffic in the form exists in the session traffic, the file downloading command existing in the session traffic is calibrated.
In order to reduce false alarm and improve accuracy, in a preferred embodiment, an enhancement condition may be set, and when a session traffic meets the enhancement condition, a file download command is calibrated to exist in the session traffic. Specifically, the number of file downloading commands in the session flow is acquired; judging whether the number of file downloading commands in the session flow is larger than a preset number threshold value or not; if so, calibrating that a file downloading command exists in the session flow; if not, the file downloading command does not exist in the conversation flow. The preset number threshold is determined according to actual conditions, and is not specifically limited herein.
In a preferred embodiment, when a file downloading command is detected in the session flow, the intrusion file can be reversely intercepted through the file downloading command, then the intrusion file is analyzed, and the defense strategy of the internet of things equipment is improved according to the intrusion file, so that the intrusion prevention capability of the internet of things equipment is enhanced.
In this embodiment, if a file download command exists in the session traffic, a plurality of segment data included in the file download command and a redirector carried by each segment data are obtained; and integrating the segmented data according to the redirector carried by each segmented data to obtain an intrusion file downloaded to the Internet of things equipment so as to break the intrusion file, analyzing the intrusion file and further improving the defense strategy of the Internet of things equipment according to the intrusion file. Wherein, the redirector comprises ">" and "> >", ">" symbol represents that a file is to be newly created, and ">" represents that data is added to the file.
For example, when an intrusion file is intercepted, in the first step, the first section of data of the file content is judged. The method comprises the steps that a login device sends a command to an Internet of things device, if the command starts with an echo-ne mode and a large amount of hexadecimal data exists behind the command, it can be judged that the file content is transmitted in an echo mode, the hexadecimal content is finally redirected to a certain file in the mode, for the first section of data of the file, the symbol adopted by the redirection symbol is' >, the symbol represents that the file is to be newly created, and if the file exists, the file content is covered; and aiming at the second segment data and all the following segment data of the file, the symbol adopted by the redirector is "> > >", wherein the symbol represents that data is added into the file, if the file exists, the data is directly added at the tail part of the file, and if the file does not exist, the file is newly created and the data is written. By the method, whether the data is the first section of data of the file can be judged only by judging whether the operator adopted for redirecting the file is ">" or ">", and the data is sequentially added to the file according to the redirector "> >".
The second step judges the end of the file content. When the file transmission is finished, a command for executing the file exists in the flow, and if the login equipment is found not to send an echo command to the Internet of things equipment any more to continue writing the file, the file is stated to be transmitted completely, so that the intrusion file is intercepted.
In this embodiment, session traffic is detected from at least three dimensions, and whether the internet of things device is invaded by a malicious program is determined according to a detection result, where the three dimensions include: whether the conversation flow is in a multi-character echoing mode, whether an output ending command in a random character form exists in the conversation flow and whether a file downloading command exists in the conversation flow, and whether a malicious program invades the Internet of things equipment, the three dimensions have specific behaviors (obvious difference from normal flow) so as to comprehensively determine whether the Internet of things equipment is invaded by the malicious program from the three dimensions, and the characteristic information can be accurately intercepted.
Furthermore, the intrusion file can be reversely intercepted through the file downloading command, then the intrusion file is analyzed, and the defense strategy of the equipment of the Internet of things is improved according to the intrusion file so as to enhance the anti-intrusion capability of the equipment of the Internet of things.
Example 2:
in order to better understand the detection process of embodiment 1, an implementation process of the method for detecting intrusion on the internet of things device is described below with reference to fig. 8 based on a specific application scenario.
The method is mainly applied to the field of network security, and by adopting the method for filtering and detecting the network traffic flowing through the equipment of the Internet of things, the equipment of the Internet of things infected with Trojan horse viruses can be detected from the network traffic, so that the invaded equipment of the Internet of things can be detected in real time, the viruses can be removed, and the information security can be ensured. In addition, by adopting the method of the embodiment, the content of the relevant malicious files can be extracted so as to analyze the malicious files, and the Internet of things equipment is upgraded and improved according to the malicious files so as to enhance the defense capability of the Internet of things equipment.
The core of the method is to detect which traffic is malicious traffic, specifically, to find which traffic is the traffic that a hacker has successfully cracked the device and is controlling the device. Once these flows being infected by hackers are discovered, the internet of things device IP addresses infecting the botnet can be obtained, and malicious files intended to be downloaded to the device by hackers can be extracted to protect the internet of things devices.
Based on the analysis of the embodiment 1, it can be known that telnet traffic generated by the botnet of the internet of things has three obvious differences from normal telnet traffic: (1) difference of input characters on echoing; (2) whether to use the random character to judge whether the output is finished; (3) whether to use an echo mode to download a file onto a device. In an actual application scenario, session traffic can be filtered and detected based on the three differences to determine whether the internet of things device is invaded.
Firstly, judging whether telnet session flow is in a single character echo mode, wherein the detection method mainly detects two parts, namely the length of a TCP load part in the telnet session flow is 1 byte, and for characters sent to the Internet of things equipment (server side) by each login equipment (client side), the Internet of things equipment sends the same characters to the login equipment. Counting is performed on a telnet session flow, and once the two conditions are met, the telnet session flow can be regarded as being in a single character echo mode. In order to reduce false alarm and enhance accuracy, a condition may be further enhanced, for example, a value N is predefined, and only when telnet session traffic satisfies the above condition and the number of times of satisfying is greater than N, the telnet session traffic is considered to be in the single character echo mode.
When telnet session flow is in a multi-character echo mode, judging whether an output ending command based on a random character form exists in the telnet session flow, wherein the detection method mainly comprises two parts, namely, the flow sent to the Internet of things equipment by the login equipment contains more than two commands, and the format of the last command is as follows: "/bin/busy XXXX", where the "XXXX" string is a special string defined by the hacker himself, and is not fixed; and aiming at the command sent by the login equipment, response flow sent by the Internet of things equipment to the login equipment comprises a character string XXXX which is a special character string sent by the login equipment to the Internet of things equipment in the previous step. When telnet session traffic is detected, once the above two conditions are met, it can be regarded that an output end command based on a random character form exists in the telnet session traffic. In order to reduce false alarm and enhance accuracy, a condition may be further enhanced, for example, a value N is predefined, and only when telnet session traffic satisfies the above condition and the number of times of satisfying is greater than N, it is determined that an output end command based on a random character form exists in the telnet session traffic. When an output ending command based on a random character form exists in telnet session flow, the equipment of the internet of things has an intrusion risk.
When an output ending command based on a random character form exists in telnet session flow, the Internet of things equipment has a potential intrusion risk, and then whether the telnet session flow uses an echo command to download a file is judged. The detection method mainly comprises the step of detecting whether a command sent to the Internet of things equipment by the login equipment conforms to the following mode, wherein the command starts with 'echo-ne', is followed by a large amount of hexadecimal byte data, and the hexadecimal byte is characterized by starting with 'x', and is followed by a byte. The telnet session traffic is detected, and once the telnet session traffic is found to satisfy the above conditions, the telnet session traffic can be considered to be downloading a file using an echo command. In order to reduce false alarm and enhance accuracy, a condition may be further enhanced, for example, a value N is predefined, and only when telnet session traffic satisfies the above condition and the number of times of satisfying is greater than N, the telnet session traffic is considered to be downloading a file using an echo command. When telnet session flow uses an echo command to download a file, the Internet of things equipment has an intrusion risk, and when telnet session flow does not use the echo command to download the file, the Internet of things equipment has a potential intrusion risk.
In this embodiment, session traffic is detected from at least three dimensions, and whether the internet of things device is invaded by a malicious program is determined according to a detection result, where the three dimensions include: whether the conversation flow is in a multi-character echoing mode, whether an output ending command in a random character form exists in the conversation flow and whether a file downloading command exists in the conversation flow, and whether a malicious program invades the Internet of things equipment, the three dimensions have specific behaviors (obvious difference from normal flow) so as to comprehensively determine whether the Internet of things equipment is invaded by the malicious program from the three dimensions, and the characteristic information can be accurately intercepted.
In a preferred embodiment, when a file downloading command is detected in the session flow, the intrusion file can be reversely intercepted through the file downloading command, then the intrusion file is analyzed, and the defense strategy of the internet of things equipment is improved according to the intrusion file, so that the intrusion prevention capability of the internet of things equipment is enhanced.
Specifically, if a file downloading command exists in the session traffic, acquiring a plurality of segment data included in the file downloading command and a redirection character carried by each segment data; and integrating the segmented data according to the redirector carried by each segmented data to obtain an intrusion file downloaded to the Internet of things equipment so as to break the intrusion file, analyzing the intrusion file and further improving the defense strategy of the Internet of things equipment according to the intrusion file. Wherein, the redirector comprises ">" and "> >", ">" symbol represents that a file is to be newly created, and ">" represents that data is added to the file.
Specifically, when the intrusion file is intercepted, in the first step, the first section of data of the file content is judged. The method comprises the steps that a login device sends a command to an Internet of things device, if the command starts with an echo-ne mode and a large amount of hexadecimal data exists behind the command, it can be judged that the file content is transmitted in an echo mode, the hexadecimal content is finally redirected to a certain file in the mode, for the first section of data of the file, the symbol adopted by the redirection symbol is' >, the symbol represents that the file is to be newly created, and if the file exists, the file content is covered; and aiming at the second segment data and all the following segment data of the file, the symbol adopted by the redirector is "> > >", wherein the symbol represents that data is added into the file, if the file exists, the data is directly added at the tail part of the file, and if the file does not exist, the file is newly created and the data is written. By the method, whether the data is the first section of data of the file can be judged only by judging whether the operator adopted for redirecting the file is ">" or ">", and the data is sequentially added to the file according to the redirector "> >".
The second step judges the end of the file content. When the file transmission is finished, a command for executing the file exists in the flow, and if the login equipment is found not to send an echo command to the Internet of things equipment any more to continue writing the file, the file is stated to be transmitted completely, so that the intrusion file is intercepted.
Example 3:
referring to fig. 9, fig. 9 is a schematic structural diagram of a detection device according to an embodiment of the present invention. The detection means of the present embodiment comprises one or more processors 41 and a memory 42. In fig. 9, one processor 41 is taken as an example.
The processor 41 and the memory 42 may be connected by a bus or other means, and fig. 9 illustrates the connection by a bus as an example.
The memory 42, which is a non-volatile computer-readable storage medium based on the method for detecting intrusion of the internet of things device, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as the method for detecting intrusion of the internet of things device in embodiment 1 and embodiment 2, and corresponding program instructions. The processor 41 implements the functions of the methods of detecting intrusion of the internet of things devices of embodiments 1 and 2 by executing various functional applications and data processing of the method of detecting intrusion of an internet of things device by executing nonvolatile software programs, instructions, and modules stored in the memory 42.
The memory 42 may include, among other things, high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to processor 41 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
For a method for detecting intrusion of an internet of things device, please refer to fig. 1to 8 and the related text description, which are not repeated herein.
It should be noted that, for the information interaction, execution process and other contents between the modules and units in the apparatus and system, the specific contents may refer to the description in the embodiment of the method of the present invention because the same concept is used as the embodiment of the processing method of the present invention, and are not described herein again.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for detecting intrusion on equipment of the Internet of things is characterized by comprising the following steps:
acquiring session flow generated during interaction between the Internet of things equipment and login equipment;
analyzing the conversation flow and determining a playback mode of the conversation flow;
if the conversation flow is in a single character echo mode, the Internet of things equipment is not invaded; if the session flow is in a multi-character echo mode, the equipment of the Internet of things has a potential intrusion risk;
when the Internet of things equipment has a potential intrusion risk, determining whether an output ending command in a random character form exists in the conversation flow;
and if the session flow has an output ending command in a random character form, the Internet of things equipment has an intrusion risk.
2. The method of claim 1, further comprising:
if the output ending command in the form of random characters does not exist in the session flow, the equipment of the Internet of things has a potential intrusion risk;
when the Internet of things equipment has a potential intrusion risk, determining whether a file downloading command exists in the session flow;
if the session flow has a file downloading command, the Internet of things equipment has an intrusion risk;
and if the session flow does not have a file downloading command, the Internet of things equipment does not have an intrusion risk.
3. The method of claim 2, wherein the file download command is an echo command, and wherein determining whether the file download command exists in the session traffic comprises:
determining whether an echo command for specifying parameters exists in the session traffic, wherein the echo command for specifying parameters comprises echo-ne, echo-en, echo-n-e or echo-e-n;
if the echo command of the specified parameter exists in the session flow, acquiring the format of the echo command of the specified parameter;
if the echo command of the specified parameter carries byte data of the specified data system, and the byte data of each specified data system starts with \ x or \0, a file downloading command exists in the session flow.
4. The method of claim 2, further comprising:
if a file downloading command exists in the session flow, acquiring a plurality of segment data contained in the file downloading command and a redirection character carried by each segment data;
and integrating the segmented data according to the redirector carried by each segmented data to obtain an intrusion file downloaded to the Internet of things equipment so as to break the intrusion file, analyzing the intrusion file and further improving the defense strategy of the Internet of things equipment according to the intrusion file.
5. The method of claim 2, wherein determining whether a file download command is present in the session traffic comprises:
acquiring the number of file downloading commands in the session flow;
judging whether the number of file downloading commands in the session flow is larger than a preset number threshold value or not;
if so, calibrating that a file downloading command exists in the session flow; if not, the file downloading command does not exist in the conversation flow.
6. The method of claim 1, wherein the session traffic is a telnet protocol-based session traffic, and wherein parsing the session traffic and determining the echoing pattern of the session traffic comprises:
analyzing the session flow to respectively obtain a first data stream sent by the login equipment to the Internet of things equipment and a second data stream sent by the Internet of things equipment to the login equipment;
judging whether the characters in the first data stream are the same as the characters in the second data stream or not according to the flow in the same TCP connection;
if the two data streams are the same, acquiring the character lengths of the load parts in the first data stream and the second data stream, if the character lengths of the load parts in the first data stream and the second data stream are respectively one byte, the conversation flow is in a single character echo mode, and if the character lengths of the load parts in the first data stream and the second data stream are respectively more than one byte, the conversation flow is in a multi-character echo mode.
7. The method of claim 6, wherein obtaining the character lengths of the payload portions in the first data stream and the second data stream, wherein if the character lengths of the payload portions in the first data stream and the second data stream are respectively one byte, the session traffic is in a single-character echo mode, and if the character lengths of the payload portions in the first data stream and the second data stream are respectively greater than one byte, the session traffic is in a multi-character echo mode, comprising:
acquiring the character lengths of the load parts in the first data stream and the second data stream, and counting the number of the load parts which respectively have one byte in the first data stream and the second data stream and meet the requirement of the character lengths if the character lengths of the load parts in the first data stream and the second data stream are respectively one byte;
if the number of load parts with the character length of one byte respectively in the first data stream and the second data stream is larger than a preset number threshold, the conversation flow is in a single-character echo mode.
8. The method of claim 1, wherein when the IOT device has a potential intrusion risk, determining whether an output ending command in a random character form exists in the session traffic comprises:
analyzing the session flow to respectively obtain a third data stream sent by the login equipment to the Internet of things equipment and a fourth data stream sent by the Internet of things equipment to the login equipment;
determining whether at least two commands exist in the third data stream, and if at least two commands exist in the third data stream, judging whether a last command carries a random character;
if the last command carries a random character, judging whether response traffic aiming at the random character exists in the fourth data stream;
if the fourth data stream has a response flow for the random character, an output ending command in the form of the random character exists in the session flow.
9. The method of claim 1, wherein when the IOT device is at a potential intrusion risk, determining whether an output end command in the form of random characters exists in the session traffic comprises:
when the Internet of things equipment has a potential intrusion risk, acquiring the number of output ending commands in a random character form in the session flow;
judging whether the number of output ending commands in the form of random characters in the session flow is greater than a preset number threshold value or not;
if so, calibrating an output ending command with a random character form in the conversation flow; if not, the output ending command in the form of the random character does not exist in the conversation flow is calibrated.
10. A detection apparatus, comprising at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor and programmed to perform the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910767588.6A CN110572372B (en) | 2019-08-20 | 2019-08-20 | Method and device for detecting intrusion of Internet of things equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910767588.6A CN110572372B (en) | 2019-08-20 | 2019-08-20 | Method and device for detecting intrusion of Internet of things equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110572372A CN110572372A (en) | 2019-12-13 |
| CN110572372B true CN110572372B (en) | 2021-12-10 |
Family
ID=68775366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910767588.6A Active CN110572372B (en) | 2019-08-20 | 2019-08-20 | Method and device for detecting intrusion of Internet of things equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572372B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1434408A2 (en) * | 2002-12-23 | 2004-06-30 | Authenture, Inc. | Authentication system and method based upon random partial pattern recognition |
| CN101562603A (en) * | 2008-04-17 | 2009-10-21 | 北京启明星辰信息技术股份有限公司 | Method and system for parsing telnet protocol by echoing |
| US9323819B1 (en) * | 2010-12-29 | 2016-04-26 | Emc Corporation | Facilitating valid data entry |
| CN107046549A (en) * | 2017-05-31 | 2017-08-15 | 郑州轻工业学院 | Based on immune Internet of Things Novel Distributed Intrusion Detection Method and system |
| CN108847983A (en) * | 2018-06-27 | 2018-11-20 | 电子科技大学 | Intrusion detection method based on MQTT agreement |
-
2019
- 2019-08-20 CN CN201910767588.6A patent/CN110572372B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1434408A2 (en) * | 2002-12-23 | 2004-06-30 | Authenture, Inc. | Authentication system and method based upon random partial pattern recognition |
| CN101562603A (en) * | 2008-04-17 | 2009-10-21 | 北京启明星辰信息技术股份有限公司 | Method and system for parsing telnet protocol by echoing |
| US9323819B1 (en) * | 2010-12-29 | 2016-04-26 | Emc Corporation | Facilitating valid data entry |
| CN107046549A (en) * | 2017-05-31 | 2017-08-15 | 郑州轻工业学院 | Based on immune Internet of Things Novel Distributed Intrusion Detection Method and system |
| CN108847983A (en) * | 2018-06-27 | 2018-11-20 | 电子科技大学 | Intrusion detection method based on MQTT agreement |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110572372A (en) | 2019-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
| CN107294982B (en) | Webpage backdoor detection method and device and computer readable storage medium | |
| US9973531B1 (en) | Shellcode detection | |
| EP4027604A1 (en) | Security vulnerability defense method and device | |
| KR100862187B1 (en) | A Method and a Device for Network-Based Internet Worm Detection With The Vulnerability Analysis and Attack Modeling | |
| CN109379341B (en) | Rebound remote control Trojan network flow detection method based on behavior analysis | |
| US20220263823A1 (en) | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium | |
| CN110830330B (en) | Firewall testing method, device and system | |
| CN112738071A (en) | Method and device for constructing attack chain topology | |
| WO2019190403A1 (en) | An industrial control system firewall module | |
| CN107707549B (en) | Device and method for automatically extracting application characteristics | |
| CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN110572372B (en) | Method and device for detecting intrusion of Internet of things equipment | |
| CN111245800B (en) | Network security test method and device, storage medium and electronic device | |
| CN112615867B (en) | Data packet detection method and device | |
| Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
| CN114363059A (en) | Attack identification method and device and related equipment | |
| AU2019273972B2 (en) | Determination method, determination device and determination program | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device | |
| CN117081855B (en) | Honeypot optimization method, honeypot protection method and honeypot optimization system | |
| CN111913430B (en) | Detection and protection method and system for control behavior of industrial control system | |
| CN115174265B (en) | ICMP hidden tunnel detection method based on flow characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A method and device for detecting intrusion of Internet of things devices Effective date of registration: 20220608 Granted publication date: 20211210 Pledgee: Hengfeng Bank Co.,Ltd. Wuhan Branch Pledgor: WUHAN GREENET INFORMATION SERVICE Co.,Ltd. Registration number: Y2022420000150 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20221121 Granted publication date: 20211210 Pledgee: Hengfeng Bank Co.,Ltd. Wuhan Branch Pledgor: WUHAN GREENET INFORMATION SERVICE Co.,Ltd. Registration number: Y2022420000150 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |