CN112351005A - Internet of things communication method and device, readable storage medium and computer equipment - Google Patents

Internet of things communication method and device, readable storage medium and computer equipment Download PDF

Info

Publication number
CN112351005A
CN112351005A CN202011148973.1A CN202011148973A CN112351005A CN 112351005 A CN112351005 A CN 112351005A CN 202011148973 A CN202011148973 A CN 202011148973A CN 112351005 A CN112351005 A CN 112351005A
Authority
CN
China
Prior art keywords
internet
things
information
service system
score
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011148973.1A
Other languages
Chinese (zh)
Other versions
CN112351005B (en
Inventor
张圆
范渊
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011148973.1A priority Critical patent/CN112351005B/en
Publication of CN112351005A publication Critical patent/CN112351005A/en
Application granted granted Critical
Publication of CN112351005B publication Critical patent/CN112351005B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An Internet of things communication method, an Internet of things communication device, a readable storage medium and computer equipment are provided, and the method comprises the following steps: acquiring risk perception data of the Internet of things equipment, and respectively calculating the grading values of an attack factor index and a threat factor index according to the risk perception data; determining the trust level of the Internet of things equipment according to the score value of the attack factor index and the score value of the threat factor index; and when the trust level is higher than the level threshold, sending connection establishment information to a service system so that the service system establishes connection with the Internet of things equipment. The invention ensures the safety of the data of the service system by detecting the trust of the equipment, thereby preventing malicious equipment from entering the service system and preventing data leakage.

Description

Internet of things communication method and device, readable storage medium and computer equipment
Technical Field
The invention relates to the technical field of communication, in particular to a communication method and device of the Internet of things, a readable storage medium and computer equipment.
Background
In 2020, the new coronary pneumonia epidemic situation speeds up the pace of online life of people, and the form of online office work is temporarily replaced by remote cooperative office work. The implementation of remote office plays a positive role in reworking and economic revival of enterprises to a certain extent, but at the same time, an enterprise intranet also faces new security threats, and a Network security architecture formed by a traditional VPN (Virtual Private Network) and a firewall is difficult to meet the external Network access requirements of a large number of users.
In a traditional network security architecture, a user end device establishes connection with an enterprise network after simple identity authentication, and once the user end device is accessed to the enterprise network, the user end device can freely access or reveal data beyond the authority of the user end device, which can cause great potential safety hazards. In addition, the security boundary of the internet of things of an enterprise is also fuzzy continuously, and the enterprise gradually increases services in the aspects of big data, cloud computing and the like, and an attack-capable surface is also increased to a certain extent, which is difficult to resist by a traditional security architecture.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a communication method and apparatus for internet of things, a readable storage medium, and a computer device for solving the problem of poor network security in the prior art.
An Internet of things communication method comprises the following steps:
acquiring risk perception data of the Internet of things equipment, and respectively calculating the grading values of an attack factor index and a threat factor index according to the risk perception data;
determining the trust level of the Internet of things equipment according to the score value of the attack factor index and the score value of the threat factor index;
and when the trust level is higher than the level threshold, sending connection establishment information to a service system so that the service system establishes connection with the Internet of things equipment.
Further, in the internet of things communication method, the risk perception data includes a security alarm and a vulnerability, and the step of calculating the score values of the attack factor index and the threat factor index according to the risk perception data includes:
acquiring the current alarm level, attack times and attack interval time in each safety alarm;
determining a corresponding first base number according to the current alarm level, determining a corresponding first coefficient according to the attack times, and determining a second coefficient according to the attack interval time;
calculating the grade of each safety alarm according to the first base number, the first coefficient and the second coefficient, and calculating the grade value of the attack factor index of the Internet of things equipment according to the grade of each safety alarm;
acquiring the grade of each vulnerability, and determining a corresponding second base number according to the grade of the vulnerability;
and calculating the score value of the threat factor index according to the second cardinality corresponding to the grade of each vulnerability.
Further, in the internet of things communication method, a calculation formula of the score value of the attack factor indicator is as follows:
Scoreattack,i=min(∑Scorea,i,a);
wherein, Scorea,i=mi×k1×k2,miIs a first base number, k1And k2The first coefficient and the second coefficient are respectively, and a is the upper limit value of the score value of the attack factor index.
Further, in the internet of things communication method, a calculation formula of the score value of the threat factor indicator is as follows:
Scorevul,i=min(∑Scorev,i,b);
wherein, Scorev,iAnd b is the upper limit value of the score value of the threat factor indicator.
Further, in the communication method of the internet of things, after the step of sending the connection establishment information to the service system, the method further includes:
when the trust level is a low trust level, sending first information to the service system so that the service system refuses the Internet of things equipment to access any data;
when the trust level is a middle trust level, sending second information to the service system so that the service system authorizes the Internet of things equipment to access public data;
and when the trust level is a high trust level, sending third information to the service system so that the service system authorizes the Internet of things equipment to access all data of the service system.
Further, in the communication method of the internet of things, after the step of sending the connection establishment information to the service system so that the service system establishes a connection with the device of the internet of things, the communication method of the internet of things further includes:
acquiring risk perception data of the Internet of things equipment at preset time intervals;
calculating the current trust level of the Internet of things equipment according to the currently acquired risk perception data;
and when the current trust level is higher or lower than the last calculated trust level, sending information corresponding to the current trust level to the access gateway.
Further, in the communication method of the internet of things, before the step of obtaining risk perception data of the device of the internet of things, the method further includes:
acquiring security factor information of the Internet of things equipment, wherein the security factor information comprises an IP address, an MAC address, an operating system version and patch information of the Internet of things equipment;
calculating the security score of the Internet of things equipment according to the security factor information;
and when the security score is higher than the threshold score, sending connection establishment information to an access gateway so that the access gateway establishes connection with the Internet of things equipment.
Further, in the communication method of the internet of things, before the step of sending the connection establishment information to the access gateway to enable the access gateway to establish a connection with the device of the internet of things, the method further includes:
acquiring identity information of a user sent by the Internet of things equipment;
verifying the identity information and determining the service authority information of the user;
the step of sending connection establishment information to an access gateway so that the access gateway establishes a connection with the internet of things device includes:
and sending connection establishment information to the access gateway so that the access gateway establishes connection between the Internet of things equipment and the network area corresponding to the service authority information.
An embodiment of the present invention further provides an internet of things communication device, including:
the first calculation module is used for acquiring risk perception data of the Internet of things equipment and calculating the grading values of the attack factor indexes and the threat factor indexes according to the risk perception data;
the determining module is used for determining the trust level of the Internet of things equipment according to the grading values of the attack factor indexes and the threat factor indexes;
the first sending module is used for sending connection establishment information to a service system when the trust level is higher than a level threshold value, so that the service system establishes connection with the Internet of things equipment.
Further, the networked communication device, wherein the risk awareness data includes security alarms and vulnerabilities, the first computing module includes,
a first computation submodule for:
acquiring the current alarm level, attack times and attack interval time in each safety alarm;
determining a corresponding first base number according to the current alarm level, determining a corresponding first coefficient according to the attack times, and determining a second coefficient according to the attack interval time;
calculating the grade of each safety alarm according to the first base number, the first coefficient and the second coefficient, and calculating the grade value of the attack factor index of the Internet of things equipment according to the grade of each safety alarm;
a second calculation submodule for:
acquiring the grade of each vulnerability, and determining a corresponding second base number according to the grade of the vulnerability;
and calculating the score value of the threat factor index according to the second cardinality corresponding to the grade of each vulnerability.
Further, in the above networked communication device, after the step of sending the connection establishment information to the service system, the first sending module is further configured to:
when the trust level is a low trust level, sending first information to the service system so that the service system refuses the Internet of things equipment to access any data;
when the trust level is a middle trust level, sending second information to the service system so that the service system authorizes the Internet of things equipment to access public data;
and when the trust level is a high trust level, sending third information to the service system so that the service system authorizes the Internet of things equipment to access all data of the service system.
Further, the above networked communication device further includes:
the second acquisition module is used for acquiring risk perception data of the Internet of things equipment at preset time intervals;
the second calculation module is used for calculating the current trust level of the Internet of things equipment according to the currently acquired risk perception data;
and the second sending module is used for sending the information corresponding to the current trust level to the access gateway when the current trust level is higher or lower than the trust level calculated last time.
Further, the above networked communication device further includes:
the third acquisition module is used for acquiring security factor information of the internet of things equipment, wherein the security factor information comprises an IP address, an MAC address, an operating system version and patch information of the internet of things equipment;
the third calculation module is used for calculating the security score of the Internet of things equipment according to the security factor information;
and the third sending module is used for sending connection establishment information to an access gateway when the security score is higher than the threshold score so that the access gateway establishes connection with the Internet of things equipment.
Further, in the networked communication apparatus, the third obtaining module is further configured to obtain identity information of the user sent by the internet of things device, verify the identity information, and determine service authority information of the user;
the third sending module is used for:
and sending connection establishment information to the access gateway so that the access gateway establishes connection between the Internet of things equipment and the network area corresponding to the service authority information.
An embodiment of the present invention further provides a readable storage medium, on which a program is stored, where the program, when executed by a processor, implements any of the methods described above.
An embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a program stored in the memory and executable on the processor, and when the processor executes the program, the method described in any one of the above is implemented.
In the invention, the connection between the service system and the equipment of the Internet of things is established through the trust proxy, the trust level of the equipment is determined by acquiring the risk perception data of the equipment of the Internet of things, and when the trust level is higher than a level threshold value, the connection establishment information is sent to the service system, so that the service system establishes the connection with the equipment. The data security of the service system is ensured by detecting the trust of the equipment, so that malicious equipment is prevented from entering the service system, and data leakage is prevented.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a communication method of the internet of things in a first embodiment of the present invention;
fig. 2 is a flowchart of a communication method of the internet of things in a second embodiment of the invention;
fig. 3 is a flowchart of a communication method of the internet of things in a third embodiment of the present invention;
fig. 4 is a block diagram of an internet of things communication device in a fourth embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
These and other aspects of embodiments of the invention will be apparent with reference to the following description and attached drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the ways in which the principles of the embodiments of the invention may be practiced, but it is understood that the scope of the embodiments of the invention is not limited correspondingly. On the contrary, the embodiments of the invention include all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.
Referring to fig. 1, a communication method of the internet of things in a first embodiment of the present invention includes steps S11-S13.
And step S11, acquiring risk perception data of the Internet of things equipment, and respectively calculating the grading values of the attack factor indexes and the threat factor indexes according to the risk perception data.
The architecture of the internet of things communication in the embodiment is different from the traditional architecture, and in the embodiment, the connection between the network and the internet of things device needs to be established through a trust proxy. The network is an enterprise network or other network that the user wants to access remotely. The trust proxy is, for example, a server, and in this embodiment, the server monitors hidden dangers existing in the whole network architecture in real time through a situation awareness system, and monitors behavioral risks, environmental risks, and network risks of the internet of things device.
When the Internet of things equipment requests to access a service system in a network architecture, the server acquires risk perception data of the Internet of things equipment. Specifically, the risk perception data comprises risk details, behavior portrayal and vulnerabilities of the internet of things equipment, the risk details comprise attack sources, safety alarms and the like, the behavior portrayal comprises access sources, access flow and the like, and the vulnerabilities comprise vulnerability names, threat levels and the like. And risk assessment can be performed on the connection between the Internet of things equipment and the service system by monitoring the risk perception data.
The trust level calculation of the Internet of things equipment mainly comprises two aspects of attack factor indexes and threat factor indexes. The attack factor is a security alarm that an attacker or a victim is an IP address or an MAC address of the equipment, which is monitored by the situation awareness system, and the threat factor is vulnerability information monitored by the situation awareness system.
Preferably, the calculating of the score value of the attack factor indicator comprises the following steps:
acquiring the current alarm level, attack times and attack interval time in each safety alarm;
determining a corresponding first base number according to the current alarm level, determining a corresponding first coefficient according to the attack times, and determining a second coefficient according to the attack interval time;
and calculating the grade of each safety alarm according to the first base number, the first coefficient and the second coefficient, and summing to obtain the grade value of the attack factor index of the Internet of things equipment.
Specifically, the alarm level may be divided into three levels, i.e., a high level, a medium level, and a low level. And taking the alarm level as a first base number, wherein the first base number of the high level is 10, the first base number corresponding to the middle level is 7, and the first base number corresponding to the low level is 4. The number of attacks is a first coefficient, for example, 1 number of attacks corresponds to a coefficient of 1, 2-5 numbers correspond to a coefficient of 1.5, and 6 numbers and more correspond to a coefficient of 2. The attack interval is a second coefficient, and for example, a coefficient corresponding to 1 week, a coefficient corresponding to 0.5 month, and a coefficient corresponding to 0.1 month or more are set as the second coefficient.
Further, the score value of the attack factor indicator is provided with a first upper limit value, the first upper limit value is 10, for example, the calculation formula of the score value of the attack factor indicator is as follows:
Scoreattack,i=min(∑Scorea,i,a);
wherein, Scorea,i=mi×k1×k2,miIs a first base number, k1And k2The first coefficient and the second coefficient are respectively, and a is the upper limit value of the score value of the attack factor index.
The calculation of the score value of the threat factor index comprises the following steps:
acquiring the grade of each vulnerability, and determining a corresponding second base number according to the grade of the vulnerability;
and summing the second cardinality corresponding to all the vulnerability grades to obtain the score value of the threat factor index.
The vulnerability class may be set to three classes, for example, each class corresponds to a second base, for example, the second base corresponding to the high class is 5, the second base corresponding to the medium class is 3, and the base corresponding to the low class is 1.
Further, the score value of the threat factor indicator is provided with a second upper limit value, the second upper limit value is 50 for example, and the score value of the threat factor indicator is calculated by the following formula:
Scorevul,i=min(∑Scorev,i,b)
wherein, Scorev,iAnd b is the upper limit value of the score value of the threat factor indicator.
The current trust score value of the internet of things equipment is 100, and a final result is calculated according to the attack factor score and the threat factor score:
Scoreresult=100-Scoreattack,i-Scorevul,i
step S12, determining the trust level of the Internet of things equipment according to the score value of the attack factor index and the score value of the threat factor index.
Step S13, when the trust level is higher than the level threshold, sending connection establishment information to a service system, so that the service system establishes connection with the Internet of things device.
In specific implementation, the trust level of the internet of things device may be set to 3 levels, for example, as shown in table 1, each trust level corresponds to a score range, and the corresponding trust level may be determined according to the trust level score of the internet of things device.
TABLE 1
Figure BDA0002740606130000081
It will be appreciated that the level threshold may be set to a low trust level. And when the trust level of the equipment of the Internet of things is higher than the low trust level, sending connection establishment information to a service system so that the service system establishes encrypted connection with the equipment of the Internet of things.
In the embodiment, the connection between the service system and the internet of things equipment is established through the trust proxy, the trust level of the equipment is determined by acquiring the risk perception data of the internet of things equipment, and when the trust level is higher than a level threshold value, the connection establishment information is sent to the service system, so that the service system establishes the connection with the equipment. The data security of the service system is ensured by detecting the trust of the equipment, so that malicious equipment is prevented from entering the service system, and data leakage is prevented.
Further, in another embodiment of the present invention, the server may further determine the data access permission of the internet of things device to the system according to the trust level of the internet of things device, and send corresponding information to the access gateway. The data access rights include:
no access is given;
only public data within the system is accessible;
all data within the system may be accessed.
Specifically, when the trust level of the internet of things equipment is a low trust level, first information is sent to the service system, so that the service system refuses the internet of things equipment to access any data; when the trust level of the Internet of things equipment is a middle trust level, sending second information to the business system so that the business system authorizes the Internet of things equipment to only access public data; and when the trust level of the Internet of things equipment is a high trust level, sending third information to the service system so that the service system authorizes the Internet of things equipment to access all data of the service system.
Furthermore, in order to maintain the security of the network architecture, after the internet of things equipment is connected with the service system, the server can periodically perform trust evaluation on the internet of things equipment and perform dynamic adjustment according to an evaluation result, so that the security of the system is guaranteed. Referring to fig. 2, a communication method of the internet of things in a second embodiment of the present invention includes steps S21 to S23.
And step S21, acquiring risk perception data of the Internet of things equipment at preset time intervals.
Step S22, calculating the current trust level of the Internet of things equipment according to the currently acquired risk perception data.
And step S23, when the current trust level is higher or lower than the last calculated trust level, sending information corresponding to the current trust level to the access gateway.
In the embodiment, dynamic access control is performed according to the trust evaluation result and the service request initiated by the internet of things device. After the Internet of things equipment is connected with a business system of an enterprise, calculating the trust score of the Internet of things equipment according to certain periodicity, and giving a corresponding trust level according to the trust score. And dynamically adjusting according to the trust evaluation result, and when the current trust level is higher or lower than the last calculated trust level, sending information corresponding to the current trust level to the access gateway so as to adjust the service system data access authority of the equipment of the Internet of things. If the trust level is too low, data transmission or disconnection is not performed, and the system safety is guaranteed.
It can be understood that, in other embodiments of the present invention, in order to ensure security of system data, a trust level may also be determined each time the internet of things device accesses the service system, and when the trust level of the device is higher than a level threshold, the data may be accessed.
Further, referring to fig. 3, in a third embodiment of the present invention, before the step of obtaining the risk perception data of the internet of things device, the internet of things communication method further includes steps S31 to S33.
Step S31, obtaining the safety factor information of the Internet of things equipment, wherein the safety factor information comprises the IP address, the MAC address, the operating system version and the patch information of the Internet of things equipment.
And step S32, calculating the security score of the Internet of things equipment according to the security factor information.
When the internet of things equipment requests to access the business system, the internet of things equipment needs to be connected with the enterprise network, and when the internet of things equipment is connected with the enterprise network, the internet of things equipment can request to access data of the business system in the network.
When the Internet of things equipment needs to be connected with an enterprise network, a connection request is sent, when the server obtains the connection request, an instruction is sent to the Internet of things equipment, and the Internet of things equipment sends safety factor information to the server after obtaining the instruction. The safety factor information is information carried by the Internet of things equipment and used for identifying the safety of the Internet of things equipment by the server.
After the server acquires the safety factor information sent by the Internet of things equipment, the data of each safety factor is extracted from the safety factor information. If the safety factor information comprises the IP address, the MAC address, the operating system version and the patch information of the equipment of the Internet of things, the data of three safety factors can be extracted from the safety factor information, the data of the first safety factor is the safety level of the equipment of the Internet of things accessing the network, the data of the second safety factor is the system version, and the data of the third safety factor is the patch quantity. And determining corresponding scoring values according to the extracted data of each safety factor.
Specifically, the step of calculating the security score of the internet of things device according to the security factor information includes:
determining the security level of the access network of the Internet of things according to the IP address and the MAC address of the equipment of the Internet of things, and determining a corresponding score value according to the security level of the access network to obtain a score value of a first security factor;
determining a score value corresponding to the version of the operating system to obtain a score value of a second safety factor;
determining the number of patches of the Internet of things equipment according to the patch information, and determining corresponding score values according to the number of patches to obtain score values of a third safety factor;
and calculating the safety score of the Internet of things equipment according to the score value of each safety factor.
In this embodiment, the network accessed by the internet of things device and the security of the accessed network can be determined according to the IP address and the MAC address. The network accessed by the internet of things device is, for example, a home network, a personal mobile data or a network in a public place, and the like. And the server determines the security level of the access network of the equipment of the Internet of things after acquiring the IP address and the MAC address of the equipment of the Internet of things. The security level and the score value are in a direct proportional relation, and the corresponding score value is determined according to the security level of the access network. For example, the home network and the personal mobile data network are higher in security level than the network of the public place, and the network security levels of different public places can be set to be different.
The version of the operating system of the equipment of the internet of things can be used as one of the safety performance indexes of the equipment, and the operating system with a low version often has some bugs and is low in safety, so that the higher the version of the operating system is, the higher the corresponding score value is. Specifically, the version of the operating system is in a proportional relationship with the score of the safety factor, for example, the total score corresponding to the safety factor is 10, the score of the safety factor is obtained by dividing the number of the current version (for example, the current version is 5) of the operating system by the total number of versions 8, and then multiplying the obtained value by 10 to obtain a value of 6.25, that is, 6.25 is the score corresponding to the operating version.
The patch information of the internet of things equipment also reflects the safety performance of the equipment to a certain extent. In this embodiment, the score value of the third safety factor is determined by the number of patches in the internet of things device. Specifically, the number of patches may be set in a plurality of number ranges, and each number range corresponds to a credit rating value of the trust level.
And calculating the trust level score of the Internet of things equipment according to the score values of the first safety factor, the second safety factor and the third safety factor. During specific implementation, the sum of the score values of the safety factors can be used as the trust score of the internet of things device, and the sum of the product of the score values of the safety factors and the corresponding weights can also be used as the safety score of the internet of things device.
And step S33, when the security score is higher than the threshold score, sending connection establishment information to an access gateway so that the access gateway establishes connection with the Internet of things equipment.
The threshold value score can be set according to actual needs, and when the service system detects that the security score of the Internet of things equipment is higher than the threshold value, the Internet of things equipment can be determined to be in a security state, and then the Internet of things equipment is allowed to access the enterprise network.
Further, the step of sending the connection establishment information to the access gateway so that the access gateway establishes a connection with the internet of things device further includes:
acquiring identity information of a user sent by the Internet of things equipment;
verifying the identity information and determining the service authority information of the user;
the step of sending connection establishment information to an access gateway so that the access gateway establishes a connection with the internet of things device includes:
and sending connection establishment information to the access gateway so that the access gateway establishes connection between the Internet of things equipment and the network area corresponding to the service authority information.
In specific implementation, the identity information of the user may be sent to the server when the internet of things device sends the connection request, that is, the connection request information sent by the internet of things device includes the identity information of the user.
And after acquiring the identity information, the server performs identity authentication on the user and determines system access service authority information of the user. And after the user identity authentication is passed, the server executes the step of acquiring the safety factor information of the Internet of things equipment.
The user identity information is used to identify the identity of the user, and includes, for example, a user account number, a password, and/or a biometric key. The password may be a fixed password or a dynamic password set by the user, and the biometric key may be, for example, a facial feature, a fingerprint feature, an iris feature, or the like of the user.
In this embodiment, the architecture of the network divides the minimum service authority information by service systems, such as a financial data system, a purchasing system, a personnel system, and the like, and each service system is connected to different network areas. Different service authority information can access different network areas, namely different types and different numbers of service systems accessible by users with different service authority information. The equipment of the Internet of things only can access the service system corresponding to the service authority information of the equipment of the Internet of things, but does not have access service authority of other service systems, and corresponding data resources are given to the equipment according to the trust evaluation result.
Referring to fig. 4, a communication device of the internet of things in a fourth embodiment of the present invention includes:
the first calculation module 10 is used for acquiring risk perception data of the internet of things equipment and calculating the score values of attack factor indexes and threat factor indexes according to the risk perception data;
the determining module 20 is configured to determine a trust level of the internet of things device according to the attack factor indicator and the score value of the threat factor indicator;
a first sending module 30, configured to send connection establishment information to a service system when the trust level is higher than the level threshold, so that the service system establishes a connection with the internet of things device.
Further, in the communication device of the internet of things, the risk perception data includes security alarms and vulnerabilities, the first computing module 10 includes,
a first computation submodule for:
acquiring the current alarm level, attack times and attack interval time in each safety alarm;
determining a corresponding first base number according to the current alarm level, determining a corresponding first coefficient according to the attack times, and determining a second coefficient according to the attack interval time;
calculating the grade of each safety alarm according to the first base number, the first coefficient and the second coefficient, and calculating the grade value of the attack factor index of the Internet of things equipment according to the grade of each safety alarm;
a second calculation submodule for:
acquiring the grade of each vulnerability, and determining a corresponding second base number according to the grade of the vulnerability;
and calculating the score value of the threat factor index according to the second cardinality corresponding to the grade of each vulnerability.
Further, in the internet of things communication device, after the step of sending the connection establishment information to the service system, the first sending module 30 is further configured to:
when the trust level is a low trust level, sending first information to the service system so that the service system refuses the Internet of things equipment to access any data;
when the trust level is a middle trust level, sending second information to the service system so that the service system authorizes the Internet of things equipment to access public data;
and when the trust level is a high trust level, sending third information to the service system so that the service system authorizes the Internet of things equipment to access all data of the service system.
Further, the communication device of the internet of things further comprises:
the second acquisition module is used for acquiring risk perception data of the Internet of things equipment at preset time intervals;
the second calculation module is used for calculating the current trust level of the Internet of things equipment according to the currently acquired risk perception data;
and the second sending module is used for sending the information corresponding to the current trust level to the access gateway when the current trust level is higher or lower than the trust level calculated last time.
Further, the communication device of the internet of things further comprises:
the third acquisition module is used for acquiring security factor information of the internet of things equipment, wherein the security factor information comprises an IP address, an MAC address, an operating system version and patch information of the internet of things equipment;
the third calculation module is used for calculating the security score of the Internet of things equipment according to the security factor information;
and the third sending module is used for sending connection establishment information to an access gateway when the security score is higher than the threshold score so that the access gateway establishes connection with the Internet of things equipment.
Further, in the internet of things communication device, the third obtaining module is further configured to obtain identity information of the user sent by the internet of things device, verify the identity information, and determine service authority information of the user;
the third sending module is used for:
and sending connection establishment information to the access gateway so that the access gateway establishes connection between the Internet of things equipment and the network area corresponding to the service authority information.
The implementation principle and the generated technical effect of the communication device of the internet of things provided by the embodiment of the invention are the same as those of the method embodiment, and for the sake of brief description, no part of the embodiment of the device is mentioned, and reference may be made to the corresponding contents in the method embodiment.
The present invention also proposes a readable storage medium on which a computer program is stored, which when executed by a processor implements the software compatibility detection method described above.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method are implemented.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. An internet of things communication method is characterized by comprising the following steps:
acquiring risk perception data of the Internet of things equipment, and respectively calculating the grading values of an attack factor index and a threat factor index according to the risk perception data;
determining the trust level of the Internet of things equipment according to the score value of the attack factor index and the score value of the threat factor index;
and when the trust level is higher than the level threshold, sending connection establishment information to a service system so that the service system establishes connection with the Internet of things equipment.
2. The communication method of the internet of things as claimed in claim 1, wherein the risk perception data includes security alarms and vulnerabilities, and the step of calculating the score values of the attack factor indicators and the threat factor indicators respectively according to the risk perception data includes:
acquiring the current alarm level, attack times and attack interval time in each safety alarm;
determining a corresponding first base number according to the current alarm level, determining a corresponding first coefficient according to the attack times, and determining a second coefficient according to the attack interval time;
calculating the grade of each safety alarm according to the first base number, the first coefficient and the second coefficient, and calculating the grade value of the attack factor index of the Internet of things equipment according to the grade of each safety alarm;
acquiring the grade of each vulnerability, and determining a corresponding second base number according to the grade of the vulnerability;
and calculating the score value of the threat factor index according to the second cardinality corresponding to the grade of each vulnerability.
3. The internet-of-things communication method of claim 2, wherein the value of credit of the attack factor indicator is calculated by the formula:
Scoreattack,i=min(∑Scorea,i,a);
wherein, Scorea,i=mi×k1×k2,miIs a first base number, k1And k2The first coefficient and the second coefficient are respectively, and a is the upper limit value of the score value of the attack factor index.
4. The internet-of-things communication method of claim 2, wherein the value of credit of the threat factor indicator is calculated by the formula:
Scorevul,i=min(∑Scorev,i,b);
wherein, Scorev,iAnd b is the upper limit value of the score value of the threat factor indicator.
5. The communication method of the internet of things of claim 1, wherein the step of sending the connection establishment information to the service system further comprises:
when the trust level is a low trust level, sending first information to the service system so that the service system refuses the Internet of things equipment to access any data;
when the trust level is a middle trust level, sending second information to the service system so that the service system authorizes the Internet of things equipment to access public data;
and when the trust level is a high trust level, sending third information to the service system so that the service system authorizes the Internet of things equipment to access all data of the service system.
6. The communication method of the internet of things as claimed in claim 5, wherein after the step of sending the connection establishment information to the service system so that the service system establishes the connection with the device of the internet of things, the communication method of the internet of things further comprises:
acquiring risk perception data of the Internet of things equipment at preset time intervals;
calculating the current trust level of the Internet of things equipment according to the currently acquired risk perception data;
and when the current trust level is higher or lower than the last calculated trust level, sending information corresponding to the current trust level to the access gateway.
7. The internet of things communication method of claim 1, wherein the step of obtaining risk awareness data of the internet of things device is preceded by the step of:
acquiring security factor information of the Internet of things equipment, wherein the security factor information comprises an IP address, an MAC address, an operating system version and patch information of the Internet of things equipment;
calculating the security score of the Internet of things equipment according to the security factor information;
and when the security score is higher than the threshold score, sending connection establishment information to an access gateway so that the access gateway establishes connection with the Internet of things equipment.
8. The internet-of-things communication method of claim 7, wherein the step of sending connection establishment information to an access gateway so that the access gateway establishes a connection with the internet-of-things device further comprises:
acquiring identity information of a user sent by the Internet of things equipment;
verifying the identity information and determining the service authority information of the user;
the step of sending connection establishment information to an access gateway so that the access gateway establishes a connection with the internet of things device includes:
and sending connection establishment information to the access gateway so that the access gateway establishes connection between the Internet of things equipment and the network area corresponding to the service authority information.
9. An internet of things communication device, comprising:
the first calculation module is used for acquiring risk perception data of the Internet of things equipment and calculating the grading values of the attack factor indexes and the threat factor indexes according to the risk perception data;
the determining module is used for determining the trust level of the Internet of things equipment according to the grading values of the attack factor indexes and the threat factor indexes;
the first sending module is used for sending connection establishment information to a service system when the trust level is higher than a level threshold value, so that the service system establishes connection with the Internet of things equipment.
10. A readable storage medium on which a program is stored, which program, when executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202011148973.1A 2020-10-23 2020-10-23 Internet of things communication method and device, readable storage medium and computer equipment Active CN112351005B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011148973.1A CN112351005B (en) 2020-10-23 2020-10-23 Internet of things communication method and device, readable storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011148973.1A CN112351005B (en) 2020-10-23 2020-10-23 Internet of things communication method and device, readable storage medium and computer equipment

Publications (2)

Publication Number Publication Date
CN112351005A true CN112351005A (en) 2021-02-09
CN112351005B CN112351005B (en) 2022-11-15

Family

ID=74360041

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011148973.1A Active CN112351005B (en) 2020-10-23 2020-10-23 Internet of things communication method and device, readable storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN112351005B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113301043A (en) * 2021-05-24 2021-08-24 珠海市鸿瑞信息技术股份有限公司 Network security terminal based on 5G industrial Internet of things
CN115134386A (en) * 2022-06-29 2022-09-30 广东电网有限责任公司 Internet of things situation awareness system, method, equipment and medium

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105976A1 (en) * 2008-02-26 2009-09-03 华为技术有限公司 Method, system and device for permission control
US20150106888A1 (en) * 2013-10-10 2015-04-16 International Business Machines Corporation Trust/value/risk-based access control policy
CN104618396A (en) * 2015-03-04 2015-05-13 浪潮集团有限公司 Trusted network access and access control system and method
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device
US20160226911A1 (en) * 2015-02-04 2016-08-04 International Business Machines Corporation Dynamic enterprise security control based on user risk factors
CN106713234A (en) * 2015-11-13 2017-05-24 国网智能电网研究院 Smart power grid mobile terminal dynamic state authorization system
US20170149828A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Trust level modifier
US10038696B1 (en) * 2017-10-10 2018-07-31 Blackberry Limited System and method for controlling access to enterprise networks
CN109245944A (en) * 2018-10-22 2019-01-18 西南石油大学 Network safety evaluation method and system
CN109918924A (en) * 2019-02-02 2019-06-21 北京奇安信科技有限公司 The control method and system of dynamic access permission
CN110035076A (en) * 2019-04-04 2019-07-19 华北电力科学研究院有限责任公司 Trusted access method, trusted client and server towards energy internet
CN110691064A (en) * 2018-09-27 2020-01-14 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN110851839A (en) * 2019-11-12 2020-02-28 杭州安恒信息技术股份有限公司 Risk-based asset scoring method and system
CN110855709A (en) * 2019-11-26 2020-02-28 中国建设银行股份有限公司 Access control method, device, equipment and medium for security access gateway
CN110912938A (en) * 2019-12-24 2020-03-24 医渡云(北京)技术有限公司 Access verification method and device for network access terminal, storage medium and electronic equipment
CN111131176A (en) * 2019-12-04 2020-05-08 北京北信源软件股份有限公司 Resource access control method, device, equipment and storage medium
CN111181979A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Access control method, device, computer equipment and computer readable storage medium
CN111371738A (en) * 2020-02-10 2020-07-03 深信服科技股份有限公司 Access control method, device, equipment and readable storage medium
CN111711631A (en) * 2020-06-17 2020-09-25 北京字节跳动网络技术有限公司 Network access control method, device, equipment and storage medium
US20200322321A1 (en) * 2019-04-08 2020-10-08 Cisco Technology, Inc. Continuous trust score

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105976A1 (en) * 2008-02-26 2009-09-03 华为技术有限公司 Method, system and device for permission control
US20150106888A1 (en) * 2013-10-10 2015-04-16 International Business Machines Corporation Trust/value/risk-based access control policy
US20160226911A1 (en) * 2015-02-04 2016-08-04 International Business Machines Corporation Dynamic enterprise security control based on user risk factors
CN104618396A (en) * 2015-03-04 2015-05-13 浪潮集团有限公司 Trusted network access and access control system and method
CN106713234A (en) * 2015-11-13 2017-05-24 国网智能电网研究院 Smart power grid mobile terminal dynamic state authorization system
US20170149828A1 (en) * 2015-11-24 2017-05-25 International Business Machines Corporation Trust level modifier
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device
US10038696B1 (en) * 2017-10-10 2018-07-31 Blackberry Limited System and method for controlling access to enterprise networks
CN110691064A (en) * 2018-09-27 2020-01-14 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN109245944A (en) * 2018-10-22 2019-01-18 西南石油大学 Network safety evaluation method and system
CN109918924A (en) * 2019-02-02 2019-06-21 北京奇安信科技有限公司 The control method and system of dynamic access permission
CN110035076A (en) * 2019-04-04 2019-07-19 华北电力科学研究院有限责任公司 Trusted access method, trusted client and server towards energy internet
US20200322321A1 (en) * 2019-04-08 2020-10-08 Cisco Technology, Inc. Continuous trust score
CN110851839A (en) * 2019-11-12 2020-02-28 杭州安恒信息技术股份有限公司 Risk-based asset scoring method and system
CN110855709A (en) * 2019-11-26 2020-02-28 中国建设银行股份有限公司 Access control method, device, equipment and medium for security access gateway
CN111131176A (en) * 2019-12-04 2020-05-08 北京北信源软件股份有限公司 Resource access control method, device, equipment and storage medium
CN110912938A (en) * 2019-12-24 2020-03-24 医渡云(北京)技术有限公司 Access verification method and device for network access terminal, storage medium and electronic equipment
CN111181979A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Access control method, device, computer equipment and computer readable storage medium
CN111371738A (en) * 2020-02-10 2020-07-03 深信服科技股份有限公司 Access control method, device, equipment and readable storage medium
CN111711631A (en) * 2020-06-17 2020-09-25 北京字节跳动网络技术有限公司 Network access control method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴云坤等: "一种基于零信任的SDN网络访问控制方法", 《信息网络安全》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113301043A (en) * 2021-05-24 2021-08-24 珠海市鸿瑞信息技术股份有限公司 Network security terminal based on 5G industrial Internet of things
CN115134386A (en) * 2022-06-29 2022-09-30 广东电网有限责任公司 Internet of things situation awareness system, method, equipment and medium
CN115134386B (en) * 2022-06-29 2024-03-08 广东电网有限责任公司 Internet of things situation awareness system, method, equipment and medium

Also Published As

Publication number Publication date
CN112351005B (en) 2022-11-15

Similar Documents

Publication Publication Date Title
JP5078898B2 (en) Method and system for dynamic adjustment of computer security based on user network activity
EP2545680B1 (en) Behavior-based security system
US9003476B2 (en) Communications security systems
US8131846B1 (en) Global, location-aware computer security
CN113536258A (en) Terminal access control method and device, storage medium and electronic equipment
EP2866411A1 (en) Method and system for detecting unauthorized access to and use of network resources with targeted analytics
US20080222706A1 (en) Globally aware authentication system
US20110276604A1 (en) Reputation based access control
CN111131176B (en) Resource access control method, device, equipment and storage medium
CN116545731A (en) Zero-trust network access control method and system based on time window dynamic switching
CN112351005B (en) Internet of things communication method and device, readable storage medium and computer equipment
US8881273B2 (en) Device reputation management
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
CN114003943B (en) Safe double-control management platform for computer room trusteeship management
CN113783871A (en) Micro-isolation protection system adopting zero trust architecture and protection method thereof
CN115065564B (en) Access control method based on zero trust mechanism
CN112115484B (en) Access control method, device, system and medium for application program
KR102611045B1 (en) Various trust factor based access control system
CN117729057A (en) Method for accessing zero trust based on identity security
US20170346837A1 (en) Real-time security modification and control
US9467448B2 (en) Consigning authentication method
CN114915427B (en) Access control method, device, equipment and storage medium
CN117254918A (en) Zero trust dynamic authorization method and device, electronic equipment and readable storage medium
US10523715B1 (en) Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems
CN115733632B (en) Target object detection method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant