CN111669746B - Protection system for information security of Internet of things - Google Patents

Protection system for information security of Internet of things Download PDF

Info

Publication number
CN111669746B
CN111669746B CN202010513418.8A CN202010513418A CN111669746B CN 111669746 B CN111669746 B CN 111669746B CN 202010513418 A CN202010513418 A CN 202010513418A CN 111669746 B CN111669746 B CN 111669746B
Authority
CN
China
Prior art keywords
component
communication protocol
processing unit
access
proxy communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010513418.8A
Other languages
Chinese (zh)
Other versions
CN111669746A (en
Inventor
卢俊文
吴克寿
马樱
刘冠峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen University of Technology
Original Assignee
Xiamen University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen University of Technology filed Critical Xiamen University of Technology
Priority to CN202010513418.8A priority Critical patent/CN111669746B/en
Publication of CN111669746A publication Critical patent/CN111669746A/en
Application granted granted Critical
Publication of CN111669746B publication Critical patent/CN111669746B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a protection system for information security of the Internet of things, comprising a transceiver, a limit rule, a processing unit and a network device, wherein the transceiver is configured to be connected to a network and receive a device-specific connection limit rule, the limit rule specifies a rule for controlling connection of an identified first component during communication using a proxy communication protocol, and receives a request to access the proxy communication protocol from the first component to enable communication with a second component; the transceiver, the restriction rules, the control connections between the network device and the processing unit. Enabling a deletion service by employing the processing unit also in response to a report that the personal information was stolen; initiating a disassembly service in response to the report of the theft of the personal information and the determination that the potential impact level exceeds a threshold; deletion can be accomplished manually or automatically, and by notifying the browser company of the dangerous URL so that the browser will automatically block access and alert the user that the URL is associated with potentially malicious activity.

Description

Protection system for information security of Internet of things
Technical Field
The invention relates to the technical field of information security, in particular to a protection system for information security of the Internet of things.
Background
With the increasing popularity of computer and network applications and the increasing abundance of different domain traffic categories, there is increased security and ease of use.
As in the prior art CN104348807a, a customizable browser-based security information interaction method is disclosed, and some malicious trojan horse programs may be disguised as security controls and illegally operated after being installed, so that there is a great potential safety hazard, and meanwhile, because a security accessory in the form of a specific network device is required, the cost is high and the use is inconvenient.
Another typical prior art method of access request without exposing access information, as disclosed in US20130117185A1, is that the security function of the browser is subject to additional software, so that the risk of infection of computer viruses is very high for computers not having internet security software installed. In addition, in an active browser system as disclosed in the prior art of US20060168101A1, a third party security detection tool is generally used to detect security of a system or an application program (such as a browser) in the system, so that intelligent threats cannot be detected quickly, and great hidden danger exists in use and theft of personal information.
The invention is designed for solving the problems that the information guarantee is lack, controls are additionally installed, the protection effect is poor, illegal modification of the webpage cannot be monitored, the data and fund safety of a user cannot be protected and the like in the field generally exist.
Disclosure of Invention
The invention aims to provide a protection system for information security of the Internet of things, aiming at the defects of the information security of the Internet of things at present.
In order to overcome the defects in the prior art, the invention adopts the following technical scheme:
a guard system for internet of things information security, comprising a transceiver, a restriction rule, a processing unit and a network device, the transceiver being configured to connect to a network and receive device-specific connection restriction rules, the restriction rules specifying rules for controlling connection of an identified first component during communication using a proxy communication protocol, and to receive a request from the first component to access the proxy communication protocol to enable communication with a second component; the transceiver, the restriction rules, the network device and the processing unit control connections therebetween.
Optionally, the processing unit is configured to connect the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol; monitoring traffic associated with the first component while the first component uses the proxy communication protocol to read data from or write data to the second component; and controlling traffic associated with the first component based on traffic monitoring and application of the device-specific connection restriction rules.
Optionally, the constraint rule is configured to specify a rule for controlling the connection of the identified first component during communication using the proxy communication protocol;
receiving, at the network device, a request from the first component to access a proxy communication protocol to enable communication with the at least one second component;
the network device connecting the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol;
the network device is configured to monitor traffic related to the first component reading data from or writing data to the second component using the proxy communication protocol;
the network device controls traffic associated with the first component based on traffic monitoring and application of device-specific connection restriction rules. Optionally, when controlling the traffic associated with the first component based on the memory usage, the processing unit is further configured to: traffic to or from the first component is throttled while monitoring memory usage of the first component and indicating that memory usage on the first component reaches a certain threshold. Optionally, the transceiver is further configured to: transmitting a test vector and a measurement request to the first component: and receiving, from the first component, a measurement in bit error rate or signal-to-noise ratio based on receipt of the test vector at the first component in response to the measurement request; wherein the processing unit is further configured to: determining whether the first component is vulnerable to message interception or eavesdropping based on the measurements in the bit error rate or signal-to-noise ratio, and disconnecting the first component from access to at least one of the second components, and determining whether the first component is vulnerable to message interception or eavesdropping via a proxy communication protocol.
Optionally, the processing unit is further configured to: based on the information theory encoding technique used for determining whether the first component is secure, the proxy communication protocol is implemented between the first component and at least one of the second components to detect whether it is easily intercepted or eavesdropped by a message.
The beneficial effects obtained by the invention are as follows:
1. the access to the account is limited by the limiting rule in the process of logging in the personal funds account by the user, and meanwhile, the input and output operations are limited on the page, so that the safety of the account is ensured;
2. enabling a deletion service by employing the processing unit also in response to a report that personal information was stolen; initiating a disassembly service in response to the report of the theft of the personal information and the determination that the potential impact level exceeds a threshold; deletion can be accomplished manually or automatically, and by notifying the browser company of the dangerous URL so that the browser will automatically block access and alert the user that the URL is associated with potentially malicious activity;
3. the hardware security module can be responsive to the restriction rule by employing the hardware security module, the hardware security module being capable of providing a session key to the restriction rule; the session key can be provided from the hardware security module through the data enabling service, so that the security of personal information of the user in the browsing process is ensured, and meanwhile, the threat of malicious links or Trojan to the whole system is prevented;
4. the security control is configured to receive access request data from the web browser, generate a dynamic access request password based on the received access request data, and sign the dynamic access request password by using a restriction rule server encryption key, so that the security of the request password is ensured, and the access process is not tracked or stolen;
5. by employing the restriction rules, the one or more programming is also triggered automatically, if the hashed data includes login credentials, the credentials may be reset automatically, or access to the account may be blocked, and an email or other alert may be pending for the administrator.
Drawings
The invention will be further understood from the following description taken in conjunction with the accompanying drawings. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the embodiments. Like reference numerals designate corresponding parts throughout the different views.
Fig. 1 is a schematic control flow chart of the present invention.
FIG. 2 is a schematic diagram of a control flow between the first component and the second component.
Fig. 3 is a schematic diagram of a control flow of the restriction rule.
FIG. 4 is a schematic diagram of a control flow based on the flow associated with the first component.
Fig. 5 is a schematic diagram of a control flow for detecting message blocking or eavesdropping.
Fig. 6 is a control flow diagram of the third embodiment.
Detailed Description
The technical scheme and advantages of the present invention will become more apparent, and the present invention will be further described in detail with reference to the following examples thereof; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. Other systems, methods, and/or features of the present embodiments will be or become apparent to one with skill in the art upon examination of the following detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims. Additional features of the disclosed embodiments are described in, and will be apparent from, the following detailed description.
The same or similar reference numbers in the drawings of embodiments of the invention correspond to the same or similar components; in the description of the present invention, it should be understood that, if there is an orientation or positional relationship indicated by the terms "upper", "lower", "left", "right", etc., based on the orientation or positional relationship shown in the drawings, this is for convenience of description and for simplification of the description, rather than to indicate or imply that the apparatus or components referred to must have a specific orientation.
Embodiment one: a guard system for internet of things information security, comprising a transceiver, a restriction rule, a processing unit and a network device, the transceiver being configured to connect to a network and receive device-specific connection restriction rules, the restriction rules specifying rules for controlling connection of an identified first component during communication using a proxy communication protocol, and to receive a request from the first component to access the proxy communication protocol to enable communication with a second component; control connections among the transceiver, the restriction rules, the network device, and the processing unit; the processing unit is configured to connect the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol; monitoring traffic associated with the first component while the first component uses the proxy communication protocol to read data from or write data to the second component; and controlling traffic associated with the first component based on traffic monitoring and application of the device-specific connection restriction rules; the constraint rules are configured to specify rules for controlling the connection of the identified first component during communication using the proxy communication protocol; receiving, at the network device, a request from the first component to access a proxy communication protocol to enable communication with the at least one second component; the network device connecting the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol; the network device is configured to monitor traffic related to the first component reading data from or writing data to the second component using the proxy communication protocol; the network device controlling traffic associated with the first component in accordance with traffic monitoring and application of device-specific connection restriction rules; optionally, when controlling the traffic associated with the first component based on the memory usage, the processing unit is further configured to: throttling traffic to or from the first component while monitoring memory usage of the first component and indicating that memory usage on the first component reaches a certain threshold; the transceiver is further configured to: transmitting a test vector and a measurement request to the first component: and receiving, from the first component, a measurement in bit error rate or signal-to-noise ratio based on receipt of the test vector at the first component in response to the measurement request; wherein the processing unit is further configured to: determining whether the first component is susceptible to message interception or eavesdropping based on the measurements in the bit error rate or signal-to-noise ratio, and disconnecting the first component from access to at least one of the second components, and determining whether the first component is susceptible to message interception or eavesdropping via a proxy communication protocol; the processing unit is further configured to: based on the information theory encoding technique used for determining whether the first component is secure, the proxy communication protocol is implemented between the first component and at least one of the second components to detect whether it is easily intercepted or eavesdropped by a message.
Embodiment two: this embodiment should be understood to include at least all of the features of any one of the foregoing embodiments, and further improve upon them, and in particular, to provide a protection system for information security of the internet of things, including a transceiver configured to connect to a network and receive device-specific connection restriction rules specifying rules for controlling connection of an identified first component during communication using a proxy communication protocol, and to receive a request from the first component to access the proxy communication protocol to enable communication with a second component; control connections among the transceiver, the restriction rules, the network device, and the processing unit; specifically, in this embodiment, the first component and the second component both act on the device on the browser system, and a browsing system is formed between the first component and the second component and the transceiver, the processing unit and the network device; the transceiver is configured to perform an operation of acquiring information of the network device, in this embodiment, the processor and the network device are connected in a mutually controlled manner to form an initial system, and an instruction sent by the initial system is configured to perform an operation of encrypting a plaintext space, a ciphertext space, a key space and a cryptographic algorithm; the initial system includes a password generator, the password generator responds to refreshing the key space according to time, the key algorithm can be generated according to methods well known to those skilled in the art, and the details are not repeated in this embodiment;
the processing unit is configured to connect the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol; monitoring traffic associated with the first component while the first component uses the proxy communication protocol to read data from or write data to the second component; and controlling traffic associated with the first component based on traffic monitoring and application of the device-specific connection restriction rules; specifically, in the present embodiment, the first component and the second component include, but are not limited to, the following listed cases: comprises a security component, an extraction component and a networking component; the first component is connected with the second component to respond to the normative text request, so that the processing unit uses the proxy communication protocol to perform reading or writing operation, meanwhile, when the first component uses the proxy communication protocol to read data from or write data to the second component, traffic associated with the first component is monitored, networking state is monitored, if the traffic to be associated exceeds a set threshold value, the first component is limited, and the networking state of the first component is limited by using the limiting rule; in particular, the constraint rule is configured to specify a rule for controlling the connection of the identified first component during communication using the proxy communication protocol; receiving, at the network device, a request from the first component to access a proxy communication protocol to enable communication with the at least one second component; the network device connecting the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol; the network device is configured to monitor traffic related to the first component reading data from or writing data to the second component using the proxy communication protocol; the network device controlling traffic associated with the first component in accordance with traffic monitoring and application of device-specific connection restriction rules; in particular, when controlling the traffic associated with the first component based on the memory usage, the processing unit is further configured to: throttling traffic to or from the first component while monitoring memory usage of the first component and indicating that memory usage on the first component reaches a certain threshold;
the transceiver is further configured to: transmitting a test vector and a measurement request to the first component: and receiving, from the first component, a measurement in bit error rate or signal-to-noise ratio based on receipt of the test vector at the first component in response to the measurement request; wherein the processing unit is further configured to: determining whether the first component is susceptible to message interception or eavesdropping based on the measurements in the bit error rate or signal-to-noise ratio, and disconnecting the first component from access to at least one of the second components, and determining whether the first component is susceptible to message interception or eavesdropping via a proxy communication protocol; specifically, in the process of monitoring that the state of the first component is vulnerable, the processing unit limits access of at least one second component of the first component, and at the same time, is further configured to: implementing the proxy communication protocol between the first component and at least one of the second components using information theoretical encoding techniques for physical layer security based on information used to determine whether the first component is secure, detects whether it is susceptible to interception or eavesdropping by messages; specifically, by limiting at the physical layer; in this embodiment, the restriction rules are also responsive to automatically triggering one or more programming, which may be automatically reset if the hashed data includes login credentials, or may prevent access to the account, and may be subject to further operations by the administrator, such as: sending an email or other alert; in this embodiment, when the user logs in the personal funds account, the limiting rule limits the access to the account, and at the same time, the user is limited to perform the input and output operations on the page first, so as to ensure the security of the account; if automatic programming is triggered, the processor performs a location operation, and based on the located data, surrounding data, and content related thereto, can determine that the domain name or URL is being used for an improper purpose, such as: domain name preemption, phishing for customer information and credentials; the processing unit is further capable of initiating a deletion service in response to a report that the personal information was stolen; initiating a disassembly service in response to the report of the theft of the personal information and the determination that the potential impact level exceeds a threshold; deletion can be accomplished manually or automatically, and by notifying the browser company of the dangerous URL so that the browser will automatically block access and alert the user that the URL is associated with potentially malicious activity; in this embodiment, deleting a service may include manually or automatically submitting a complaint or interacting with a domain name registrar or a network hosting service to deregister or block access to a particular site.
Embodiment III: this embodiment should be understood to include at least all of the features of any one of the foregoing embodiments, and further improve upon the foregoing embodiments, and in particular, provide a computing device comprising: a restriction rule, a security control, a network interface, and a communication interface configured to receive a user encryption key from a remote key management service, the user encryption key configured for session key protection shared with the restriction rule; the security control is configured to receive access request data from a web browser, generate a dynamic access request password based on the received access request data, and sign the dynamic access request password with a restriction rule server encryption key; the network interface is configured to transmit a dynamic access request password signed with the limit rule server encryption key to the limit rule server system; the security control is configured to generate data remote secure login credentials based on the received access request data and sign the credentials with the user encryption key; the access request verification module is used for authenticating a user and sending authentication information of the user authentication to the security control of the restriction rule; the security control of the restriction rule is further configured to generate the access request password based on the authentication information received from the networked device; the security control can have a relay station, which is further configured to operate based on the restriction rule, and in this embodiment, the relay station can also be replaced equally with the password generator, which is well known to those skilled in the art, so that in this embodiment, a detailed description is omitted;
in this embodiment, after verifying the authentication information and generating the access request password, the browsing interface forms a protection network for protection, and accesses the protection network to route the access request information to various network devices including, but not limited to, a data enabling service, an information provider, and a hardware security module; data information hosted by an information provider can be installed on a user device; the user can preview the addition of access requests to the data information and use these access requests when accessing the restriction rule server; the constraint rules server can associate itself with a trusted authoritative hardware security module and receive a private key known only to the constraint rules server; meanwhile, the hardware security module can reserve a public key of the user corresponding to the private key of the user, and the public key can be used for encrypting data which can only be decrypted through the private key; the public key can be securely provided to the restriction rules on the user device and can be used to sign the access password generated by the restriction rules;
the user can utilize a trusted authority such as a hardware security module to place restrictions on the browsing system; the hardware security module can generate a key pair in response, wherein the key pair comprises a public key and a private key, and returns the private key to the restriction rule server; the hardware security module can be responsive to a restriction rule, the hardware security module can provide a session key to the restriction rule; the session key can be provided from the hardware security module through the data enabling service, so that the security of personal information of the user in the browsing process is ensured, and meanwhile, the threat of malicious links or Trojan to the whole system is prevented; the session key can be used for secret communication between the hardware security module and the restriction rules even when data is communicated via one or more intermediaries, such as an information provider; the user equipment initiates an access request with the restriction rule server; in this embodiment, a web browser can be used to open a preview page of a web site of a constraint rules server, while at the same time, the user can be provided with an opportunity to choose whether to select an access request from data information hosted by an information provider and use a remote secure access procedure; here, the user selects to process the access via a remote secure access process using an access request stored in data information hosted by the information service provider; the networked device is capable of authenticating that the user of the user device is an authorized user of the selected access request via one or more authentication protocols such as biometric, facial, retinal, PIN, etc.; in addition, success or failure of user authentication can be provided to the restriction rule; access request details such as: access request data, date, time, restriction rule server ID, etc., can be forwarded to the interface; in this embodiment, the restriction rule server is further capable of providing, in addition to the access request details, a signature public key of the restriction rule server to the user device, the user public key being capable of being provided together with the access request details in the user-logged-in interface; in this embodiment, the user is able to provide his signed public key to the interface and then does not need to request the user key from the hardware security module; alternatively, the constraint rule server can provide a constraint rule server ID of the constraint rule server instead of the public key; in this case, the interface can request the signed constraint rule server key from the hardware security module using the constraint rule server ID; if no limit rule server public key is provided in the interface after the user logs in, after the key pair is acquired and authorized, the interface sends a request for the encryption key to the information provider, the request including some access request details and the limit rule server ID; the authorization process needs to pass through the multiple authentication protocols to authenticate that the user of the user equipment is the authorized user of the selected access request, and the personal information of the user is ensured to be safe through multiple times of authentication;
in this embodiment, the access request details can be encrypted using the information provider's public key to maintain security; however, instead of generating an access password, the information provider can forward the request to the hardware security module; the hardware security module identifies the restriction rule server based on the restriction rule server ID and encrypts the signed restriction rule server public key therein using the session key previously shared with the security element; in addition, at the interface after the user logs in, the hardware security module sends the public key of the signed restriction rule server to the information provider under the protection of the session key; the information provider cannot see the signed constraint rule server public key due to encryption; in the interface after the user logs in, the information provider forwards the public key of the signed restriction rule server to the interface; the interface forwards the request for secure remote access to a secure element comprising an encrypted limit rule server public key; in the interface after user login, the restriction rule can decrypt the encrypted signed restriction rule server public key using the session key shared therein; the method comprises the steps that at an interface after a user logs in, a limit rule generates remote access or login comprising effective data and is used for verifying an access request of a limit rule server; the password can include data based on the access request, for example: a tokenized PAN, validity period, verification code, restriction rule server information, date, time and the like; in addition, the password can include user authentication information provided from the networked device, while successful user authentication can be identified by a tag or value added to the password; in the process of access and information verification, the encrypted access requests are respectively forwarded to a web browser and then forwarded to a restriction rule server; the constraint rule server is capable of decrypting the encryption using a private constraint rule server key that the constraint rule server only knows; if the decryption is successful, the constraint rules server knows that the public key has been provided by the hardware security module to the constraint rules with an information provider key that can be used to verify the integrity of the trusted relay; in the access request, the user equipment makes an access request with the restriction rule server via the trusted relay; in the access procedure, the access request details can be forwarded to the interface and the restriction rules together with the restriction rule server key that has been signed by the trusted relay using its private key; the interface can send a request to the restriction rule to verify the integrity of the signature of the trusted relay on the user key and also generate; during the access, the security element can verify the signature of the trusted relay added to the user key received in the access request using the information key provided therein from the information provider; in this embodiment, the information provider key can be used to verify the integrity of the trusted relay key by decoding the signature of the trusted relay on the user key received therein; in addition, by verifying the signature of the trusted relay, the restriction rule server key can also be verified, as it comes from a valid trusted relay station; in this embodiment, the restriction rule server key is held by a trusted relay; also, the restriction rule may not be aware of the restriction rule server, but is aware of the trusted relay, and can verify the key of the trusted relay using the key provided from the information provider.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
In summary, in the protection system for information security of the present invention, the limiting rule is adopted to limit the access to the account when the user logs in the personal funds account, and at the same time, the input and output operations are limited on the page, so as to ensure the security of the account; enabling a deletion service by employing the processing unit also in response to a report that personal information was stolen; initiating a disassembly service in response to the report of the theft of the personal information and the determination that the potential impact level exceeds a threshold; deletion can be accomplished manually or automatically, and by notifying the browser company of the dangerous URL so that the browser will automatically block access and alert the user that the URL is associated with potentially malicious activity; the hardware security module can be responsive to the restriction rule by employing the hardware security module, the hardware security module being capable of providing a session key to the restriction rule; the session key can be provided from the hardware security module through the data enabling service, so that the security of personal information of the user in the browsing process is ensured, and meanwhile, the threat of malicious links or Trojan to the whole system is prevented; the security control is configured to receive access request data from the web browser, generate a dynamic access request password based on the received access request data, and sign the dynamic access request password by using a restriction rule server encryption key, so that the security of the request password is ensured, and the access process is not tracked or stolen; by employing the restriction rules, the one or more programming is also triggered automatically, if the hashed data includes login credentials, the credentials may be reset automatically, or access to the account may be blocked, and an email or other alert may be pending for the administrator.
While the invention has been described above with reference to various embodiments, it should be understood that many changes and modifications can be made without departing from the scope of the invention. That is, the methods, systems and devices discussed above are examples. Various configurations can omit, replace, or add various procedures or components as appropriate. For example, in alternative configurations, the methods can be performed in a different order than described, and/or various components can be added, omitted, and/or combined. Moreover, features described with respect to certain configurations can be combined in various other configurations, such as different aspects and elements of the configurations can be combined in a similar manner. Furthermore, as technology evolves, elements therein can be updated, i.e., many of the elements are examples, and do not limit the scope of the disclosure or the claims.
Specific details are given in the description to provide a thorough understanding of exemplary configurations involving implementations. However, it is possible to practice the configuration without these specific details-for example, well-known circuits, processes, algorithms, structures and techniques have been shown without unnecessary detail in order to avoid obscuring the configuration. This description provides only an example configuration and does not limit the scope, applicability, or configuration of the claims. Rather, the foregoing description of the configuration will provide those skilled in the art with an enabling description for implementing the described techniques. Various changes may be made in the function and arrangement of elements without departing from the spirit or scope of the disclosure.
It is intended that the foregoing detailed description be regarded as illustrative rather than limiting, and that it be understood that it is intended that it be regarded as illustrative rather than limiting. After reading the description of the invention, the skilled person is able to make various changes or modifications of the invention, these equivalent variations and modifications likewise falling within the scope of the invention as defined in the claims.

Claims (5)

1. A protection system for internet of things information security, comprising a transceiver configured to connect to a network and receive device-specific connection restriction rules, the restriction rules configured to specify rules for controlling connection of an identified first component during communication using a proxy communication protocol, and to receive a request from the first component to access the proxy communication protocol to enable communication with a second component, a restriction rule, a processing unit, and a network device; control connections among the transceiver, the restriction rules, the network device, and the processing unit; the first component and the second component both act on the browser system to form a browsing system with the transceiver, the processing unit and the network device; the transceiver is used for acquiring information of the network equipment, the processing unit and the network equipment are mutually controlled and connected to form an initial system, and an instruction sent by the initial system is configured to encrypt a plaintext space, a ciphertext space, a key space and a cryptographic algorithm;
wherein the processing unit is configured to connect the first component to the second component based on an access request to allow the first component to read or write data using the proxy communication protocol; monitoring traffic associated with the first component while the first component uses the proxy communication protocol to read data from or write data to the second component; and controlling traffic associated with the first component based on traffic monitoring and application of the device-specific connection restriction rules.
2. The guard system for internet of things information security of claim 1, wherein the constraint rules are configured to specify rules for controlling the connection of the identified first component during communication using a proxy communication protocol;
receiving, at the network device, a request from the first component to access a proxy communication protocol to enable communication with the at least one second component;
the network device connecting the first component to the second component based on the access request to allow the first component to read or write data using the proxy communication protocol;
the network device is configured to monitor traffic related to the first component reading data from or writing data to the second component using the proxy communication protocol;
the network device controls traffic associated with the first component based on traffic monitoring and application of device-specific connection restriction rules.
3. The guard system for internet of things information security of claim 2, wherein when controlling traffic associated with the first component based on memory usage, the processing unit is further configured to: traffic to or from the first component is throttled while monitoring memory usage of the first component and indicating that memory usage on the first component reaches a certain threshold.
4. The protection system for information security of the internet of things of claim 3, wherein the transceiver is further configured to: transmitting a test vector and a measurement request to the first component: and receiving, from the first component, a measurement in bit error rate or signal-to-noise ratio based on receipt of the test vector at the first component in response to the measurement request; wherein the processing unit is further configured to: determining whether the first component is vulnerable to message interception or eavesdropping based on the measurements in the bit error rate or signal-to-noise ratio, and disconnecting the first component from access to at least one of the second components, and determining whether the first component is vulnerable to message interception or eavesdropping via a proxy communication protocol.
5. The protection system for information security of internet of things of claim 4, wherein the processing unit is further configured to: based on the information theory encoding technique used for determining whether the first component is secure, the proxy communication protocol is implemented between the first component and at least one of the second components to detect whether it is easily intercepted or eavesdropped by a message.
CN202010513418.8A 2020-06-08 2020-06-08 Protection system for information security of Internet of things Active CN111669746B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010513418.8A CN111669746B (en) 2020-06-08 2020-06-08 Protection system for information security of Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010513418.8A CN111669746B (en) 2020-06-08 2020-06-08 Protection system for information security of Internet of things

Publications (2)

Publication Number Publication Date
CN111669746A CN111669746A (en) 2020-09-15
CN111669746B true CN111669746B (en) 2023-04-21

Family

ID=72385654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010513418.8A Active CN111669746B (en) 2020-06-08 2020-06-08 Protection system for information security of Internet of things

Country Status (1)

Country Link
CN (1) CN111669746B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113377898B (en) * 2021-08-16 2021-11-23 南京东大智能化系统有限公司 Analysis method based on mass discrete data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938673A (en) * 2010-09-19 2011-01-05 中兴通讯股份有限公司 Implementation method and system of call restriction service
CN101938474A (en) * 2010-08-27 2011-01-05 清华大学 Network intrusion detection and protection method and device
CN103503408A (en) * 2011-05-05 2014-01-08 良好科技公司 System and method for providing access credentials
CN105635032A (en) * 2014-10-27 2016-06-01 西安景行数创信息科技有限公司 Network connection system
CN111030751A (en) * 2019-11-29 2020-04-17 南京邮电大学 Multi-degree-of-freedom-based quantum secure direct communication method irrelevant to measuring equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA3021404A1 (en) * 2017-10-19 2019-04-19 3D Bridge Solutions Inc. Systems, devices and methods for protecting and exchanging electronic computer files

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938474A (en) * 2010-08-27 2011-01-05 清华大学 Network intrusion detection and protection method and device
CN101938673A (en) * 2010-09-19 2011-01-05 中兴通讯股份有限公司 Implementation method and system of call restriction service
CN103503408A (en) * 2011-05-05 2014-01-08 良好科技公司 System and method for providing access credentials
CN105635032A (en) * 2014-10-27 2016-06-01 西安景行数创信息科技有限公司 Network connection system
CN111030751A (en) * 2019-11-29 2020-04-17 南京邮电大学 Multi-degree-of-freedom-based quantum secure direct communication method irrelevant to measuring equipment

Also Published As

Publication number Publication date
CN111669746A (en) 2020-09-15

Similar Documents

Publication Publication Date Title
US6510523B1 (en) Method and system for providing limited access privileges with an untrusted terminal
US7231526B2 (en) System and method for validating a network session
JP5860815B2 (en) System and method for enforcing computer policy
CN101227468B (en) Method, device and system for authenticating user to network
US7743413B2 (en) Client apparatus, server apparatus and authority control method
US8719568B1 (en) Secure delivery of sensitive information from a non-communicative actor
US20130145447A1 (en) Cloud-based data backup and sync with secure local storage of access keys
US20100088766A1 (en) Method and system for detecting, blocking and circumventing man-in-the-middle attacks executed via proxy servers
US10263782B2 (en) Soft-token authentication system
US20090037992A1 (en) Apparatus, system, and method for generating and authenticating a computer password
CN112910867B (en) Double verification method for trusted equipment to access application
CN114244522B (en) Information protection method, device, electronic equipment and computer readable storage medium
EP2849403A1 (en) Method and system for controlling the exchange of privacy-sensitive information
WO2009065154A2 (en) Method of and apparatus for protecting private data entry within secure web sessions
CN104410580B (en) Credible and secure WiFi routers and its data processing method
JP4698751B2 (en) Access control system, authentication server system, and access control program
CN111464532A (en) Information encryption method and system
CN104243452B (en) A kind of cloud computing access control method and system
CN111669746B (en) Protection system for information security of Internet of things
KR101001197B1 (en) System and method for log-in control
US20100146605A1 (en) Method and system for providing secure online authentication
JP4921614B2 (en) Method and system for preventing man-in-the-middle computer hacking techniques
Latze Stronger Authentication in E-Commerce-How to protect even naıve Users against Phishing, Pharming, and MITM attacks
Karthiga et al. Enhancing performance of user authentication protocol with resist to password reuse attacks
KR20080042582A (en) System and method for protecting a user device using a token device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant