CN112769847A - Safety protection method, device, equipment and storage medium for Internet of things equipment - Google Patents

Safety protection method, device, equipment and storage medium for Internet of things equipment Download PDF

Info

Publication number
CN112769847A
CN112769847A CN202110063733.XA CN202110063733A CN112769847A CN 112769847 A CN112769847 A CN 112769847A CN 202110063733 A CN202110063733 A CN 202110063733A CN 112769847 A CN112769847 A CN 112769847A
Authority
CN
China
Prior art keywords
internet
things
target
traffic data
feature vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110063733.XA
Other languages
Chinese (zh)
Other versions
CN112769847B (en
Inventor
王宁
王杰
杨满智
蔡琳
梁彧
田野
傅强
金红
陈晓光
尚程
宋玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202110063733.XA priority Critical patent/CN112769847B/en
Publication of CN112769847A publication Critical patent/CN112769847A/en
Application granted granted Critical
Publication of CN112769847B publication Critical patent/CN112769847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Abstract

The embodiment of the invention discloses a safety protection method, a safety protection device, safety protection equipment and a storage medium of Internet of things equipment. The method comprises the following steps: acquiring at least one internet of things flow data corresponding to a target internet of things device; screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting target feature vectors of the flow data clusters of the target Internet of things; comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with the dangerous event; and if the target characteristic vector is determined to be matched with the dangerous event, intercepting the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector. According to the scheme of the embodiment of the invention, the safety protection of the equipment of the Internet of things can be realized, and the safety guarantee is provided for the equipment of the Internet of things.

Description

Safety protection method, device, equipment and storage medium for Internet of things equipment
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a security protection method, a security protection device, security protection equipment and a storage medium for Internet of things equipment.
Background
With the continuous development of science and technology, the internet of things is developed rapidly. The internet of things can connect physical devices, such as vehicles, buildings, embedded electronic devices, software or sensors, and the like, with a network, allow remote systems to sense and control things through the existing network infrastructure, and can integrate the physical world into a computer-based system, thereby improving efficiency, accuracy and economic benefits and bringing great convenience to people's lives.
The Internet of things brings convenience to life, meanwhile, safety problems frequently come along, safety risks of the Internet of things equipment are high according to safety situation reports of authorities, and safety guarantee of the Internet of things equipment is more urgent.
How to carry out safety protection to the equipment of the internet of things is a key problem of concern in the industry.
Disclosure of Invention
The embodiment of the invention provides a safety protection method, a safety protection device, equipment and a storage medium of equipment of the Internet of things, so that the safety protection of the equipment of the Internet of things is realized, and the safety guarantee is provided for the equipment of the Internet of things.
In a first aspect, an embodiment of the present invention provides a method for protecting security of an internet of things device, including:
acquiring at least one internet of things flow data corresponding to a target internet of things device;
screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting a target feature vector of each target Internet of things flow data cluster;
comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises characteristic vectors of a plurality of dangerous events;
and if the target characteristic vector is determined to be matched with the dangerous event, intercepting the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector.
In a second aspect, an embodiment of the present invention further provides a safety protection device for an internet of things device, including:
the internet of things traffic data acquisition module is used for acquiring at least one piece of internet of things traffic data corresponding to the target internet of things device;
the target Internet of things traffic data cluster determining module is used for screening the Internet of things traffic data, determining at least one target Internet of things traffic data cluster and extracting a target feature vector of each target Internet of things traffic data cluster;
the comparison module is used for comparing the target characteristic vector with a preset reference characteristic vector set and determining whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises a plurality of characteristic vectors of the dangerous event;
and the intercepting module is used for intercepting the Internet of things traffic data in the target Internet of things traffic data cluster corresponding to the target characteristic vector if the target characteristic vector is determined to be matched with the dangerous event.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for securing the internet of things device according to any embodiment of the present invention.
In a fourth aspect, the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions, when executed by a computer processor, are configured to perform a method for securing an internet of things device according to any one of the embodiments of the present invention.
The embodiment of the invention obtains at least one piece of Internet of things flow data corresponding to the target Internet of things equipment; screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting target feature vectors of the flow data clusters of the target Internet of things; comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with the dangerous event; if the target characteristic vector is determined to be matched with the dangerous event, the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector is intercepted, so that safety protection of Internet of things equipment can be realized, and safety guarantee is provided for the Internet of things equipment.
Drawings
Fig. 1 is a flowchart of a security protection method for an internet of things device in a first embodiment of the present invention;
fig. 2 is a flowchart of a security protection method for an internet of things device in the second embodiment of the present invention;
fig. 3 is a flowchart of a security protection method for an internet of things device in a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a safety protection device of an internet of things device in the fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device in a fifth embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
Example one
Fig. 1 is a flowchart of a security protection method for an internet of things device in a first embodiment of the present invention, where the present embodiment is applicable to a case of performing security protection on an internet of things device, and the method may be performed by a security protection apparatus for an internet of things device, and the apparatus may be implemented in software and/or hardware and integrated in an electronic device; in this embodiment, the electronic device may be a computer, a server, a tablet computer, or the like. Specifically, referring to fig. 1, the method specifically includes the following steps:
and 110, acquiring at least one internet of things traffic data corresponding to the target internet of things device.
The target internet of things device may be a vehicle, a building, an embedded electronic device, software, a sensor, or other physical devices, which is not limited in this embodiment.
Wherein, can contain in the thing networking traffic data: the original IP address (i.e., the IP address of the device sending the internet of things traffic data), the target IP address (i.e., the IP address of the device receiving the internet of things traffic data), the communication frequency, the data size, the communication time, or the communication protocol transmitting the internet of things traffic data, etc.
For example, the traffic data of the internet of things may be an instruction sent by the server to control the smart sound box to be turned on; the server may also obtain an instruction of the daily household power consumption counted by the smart meter, and the like, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, all traffic data in the internet of things may be obtained in real time through the probe, and at least one piece of internet of things traffic data corresponding to the target internet of things device is screened according to an original IP address or a target IP address of each piece of traffic data.
For example, if the original IP address of the first internet-of-things traffic data is the same as the IP address of the target internet-of-things device, it may be determined that the first internet-of-things traffic data is one internet-of-things traffic data corresponding to the target internet-of-things device; if the target IP address of the second internet-of-things traffic data is the same as the IP address of the target internet-of-things device, determining that the second internet-of-things traffic data is one internet-of-things traffic data corresponding to the target internet-of-things device; the first internet of things traffic data and the second internet of things traffic data are any internet of things traffic data, and are not limited to this embodiment.
And 120, screening the traffic data of the internet of things, determining at least one target internet of things traffic data cluster, and extracting target feature vectors of the traffic data clusters of the target internet of things.
In an optional implementation manner of this embodiment, after at least one piece of internet-of-things traffic data corresponding to the target internet-of-things device is acquired, the acquired internet-of-things traffic data may be further filtered, at least one target internet-of-things traffic data cluster is determined, and further, a feature vector of each target internet-of-things traffic data cluster may be extracted.
Specifically, after at least one piece of internet of things traffic data corresponding to the target internet of things device is acquired, redundant data in each piece of internet of things traffic data can be further removed, and the remaining data is clustered, for example, the internet of things traffic data corresponding to the same communication protocol can be determined as a target internet of things traffic data cluster; the internet of things traffic data corresponding to the same communication frequency may also be determined as a target internet of things traffic data cluster, which is not limited in this embodiment.
Further, the feature vector of each target internet of things traffic data cluster can be respectively extracted and used as the target feature vector. It should be noted that, in this embodiment, each target feature vector may include features of a target internet of things traffic data cluster corresponding to the target internet of things, for example, a communication protocol feature, a communication time feature, or a communication frequency feature, which is not limited in this embodiment.
And step 130, comparing the target characteristic vector with a preset reference characteristic vector set, and determining whether the target characteristic vector is matched with the dangerous event.
The reference feature vector set includes feature vectors of a plurality of dangerous events, for example, the reference feature vector set may include feature vectors of a Trojan dangerous event, feature vectors of a virus dangerous event, or feature vectors of an attack event, and the like, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after the target feature vectors of each target internet of things traffic data cluster are extracted, each target feature vector may be compared with a preset reference feature vector set, for example, the target feature vectors may be compared with each reference feature vector in the reference feature vector set in sequence, and whether the target feature vectors are matched with the dangerous events is determined.
For example, if the similarity shown in the comparison result between the target feature vector and the first reference feature vector in the reference feature vector set is greater than 90%, it may be determined that the target feature vector matches the dangerous event.
And step 140, if the target characteristic vector is determined to be matched with the dangerous event, intercepting the internet of things flow data in the target internet of things flow data cluster corresponding to the target characteristic vector.
In an optional implementation manner of this embodiment, if it is determined that the target feature vector matches the dangerous event, the internet of things traffic data in the target internet of things traffic data cluster corresponding to the target feature vector may be further intercepted.
For example, if the similarity displayed in the comparison result of the target feature vector and the first reference feature vector in the reference feature vector set is greater than 90%, it may be determined that the target feature vector matches a dangerous event, and all internet-of-things traffic data in a target internet-of-things traffic data cluster corresponding to the target feature vector may be intercepted; for example, the target internet of things traffic data cluster includes 10 internet of things traffic data, and the 10 internet of things traffic data can be intercepted after the target feature vector corresponding to the target internet of things traffic data cluster is determined to be matched with the dangerous event.
According to the scheme of the embodiment, at least one piece of internet of things flow data corresponding to the target internet of things equipment is acquired; screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting target feature vectors of the flow data clusters of the target Internet of things; comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with the dangerous event; if the target characteristic vector is determined to be matched with the dangerous event, the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector is intercepted, so that safety protection of Internet of things equipment can be realized, and safety guarantee is provided for the Internet of things equipment.
Example two
Fig. 2 is a flowchart of a security protection method for an internet of things device in a second embodiment of the present invention, which is a further refinement of the foregoing technical solutions, and the technical solutions in this embodiment may be combined with various alternatives in one or more embodiments. As shown in fig. 2, the method for securing the internet of things device may include the following steps:
step 210, acquiring and sending the traffic data of the internet of things to the target internet of things device and/or each internet of things traffic data sent by the target internet of things device through a probe arranged at a network node of the internet of things.
In an optional implementation manner of this embodiment, the obtaining at least one piece of internet of things traffic data corresponding to the target internet of things device may include: the method comprises the steps of obtaining and sending the traffic data of the internet of things sent to target internet of things equipment and/or the traffic data of the internet of things sent by the target internet of things equipment through a probe arranged at a network node of the internet of things.
Optionally, in this embodiment, probes may be set at all nodes or key nodes of the internet of things network, and once there is traffic data of the internet of things passing through a network node, the traffic data of the internet of things may be acquired by the probes.
In an optional implementation manner of this embodiment, if the probe acquires the internet of things traffic data sent to the target internet of things device, the internet of things traffic data sent by the target internet of things device, or acquires the internet of things traffic data sent to the target internet of things device and the internet of things traffic data sent by the target internet of things device at the same time, the internet of things traffic data is determined as the internet of things traffic data corresponding to the target internet of things device.
And step 220, screening the traffic data of the internet of things, determining at least one target internet of things traffic data cluster, and extracting target feature vectors of the traffic data clusters of the target internet of things.
In an optional implementation manner of this embodiment, after at least one piece of internet-of-things traffic data corresponding to the target internet-of-things device is acquired, the internet-of-things traffic data may be further filtered, at least one target internet-of-things traffic data cluster is determined, and a target feature vector of each target internet-of-things traffic data cluster is extracted.
In an optional implementation manner of this embodiment, the screening of traffic data of each internet of things and the determining of at least one target traffic data cluster of the internet of things may include: acquiring a transmission protocol of traffic data of each Internet of things, and determining whether each transmission protocol is in a preset transmission protocol configuration table; and if the first transmission protocol is not in the preset transmission protocol configuration table, rejecting the Internet of things traffic data corresponding to the first transmission protocol.
The preset transmission protocol configuration table comprises a plurality of preset Internet of things traffic data transmission protocols.
In a specific implementation, after at least one piece of internet of things traffic data corresponding to a target internet of things device is acquired, a transmission protocol of each piece of internet of things traffic data can be further acquired, and whether each transmission protocol is in a preset transmission protocol configuration table or not is determined; illustratively, if the first transmission protocol of the first internet of things traffic data is not in the preset transmission protocol configuration table, the first internet of things traffic data is rejected; and if the first transmission protocol of the second networking traffic data is in the preset transmission protocol configuration table, retaining the second networking traffic data.
The advantage of setting up like this lies in, can filter the interference flow data among each thing networking flow data that acquire, can greatly promote the precision of algorithm.
Further, the flow data of the internet of things can be clustered according to the attribute characteristics of the flow data of the internet of things to obtain a plurality of target flow data clusters of the internet of things; wherein the attribute characteristics include access time, transmission protocol, or access times.
Illustratively, after the internet of things traffic data corresponding to the first transmission protocol is removed, the attribute characteristics of the remaining internet of things traffic data can be analyzed, and the internet of things traffic data are clustered according to the attribute characteristics; for example, the traffic data of the internet of things with the same access time can be determined as a target traffic data cluster of the internet of things; the traffic data of all the internet of things with the same transmission protocol can be determined as a target internet of things traffic data cluster; each internet of things traffic data with the access times within the set range can be determined as a target internet of things traffic data cluster and the like, which is not limited in this embodiment.
Further, the target feature vector of each target internet of things flow data can be extracted.
And step 230, respectively calculating the similarity between the target feature vector and each reference feature vector in the reference feature vector set, and when the similarity between the target feature vector and each reference feature vector is greater than a set threshold, determining that the target feature vector is matched with the dangerous event.
The set threshold may be a value such as 0.8, 0.9, or 0.95, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after extracting the target feature vector of each target internet of things traffic data, similarity between the target feature vector and each reference feature vector in the reference feature vector set may be respectively calculated, and when the similarity between the target feature vector and each reference feature vector is greater than a set threshold, it may be determined that the target feature vector matches the dangerous event.
For example, if the similarity between the target feature vector and the first reference feature vector is 0.98 (the threshold is set to 0.8), it may be determined that the target feature vector matches the dangerous event.
And 240, if the target characteristic vector is determined to be matched with the dangerous event, intercepting the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector.
In an optional implementation manner of this embodiment, after determining that the target feature vector matches the dangerous event, intercepting internet of things traffic data in the target internet of things traffic data cluster corresponding to the target feature vector may include: and forbidding the target Internet of things equipment from sending the Internet of things traffic data in the target Internet of things traffic data cluster to the target Internet of things equipment, and/or forbidding the target Internet of things equipment from sending the Internet of things traffic data in the target Internet of things traffic data cluster.
In a specific implementation, after the target feature vector is determined to be matched with the dangerous event, the network traffic data in the target internet of things traffic data cluster corresponding to the target feature vector may be prohibited from being sent to the target internet of things device, and the target internet of things device may also be prohibited from sending the network traffic data in the target internet of things traffic data cluster corresponding to the target feature vector.
In the scheme of this embodiment, the transmission protocol of the traffic data of each internet of things is acquired, and whether each transmission protocol is in a preset transmission protocol configuration table is determined; if the first transmission protocol is not in the preset transmission protocol configuration table, removing the Internet of things traffic data corresponding to the first transmission protocol; clustering the flow data of the internet of things according to the attribute characteristics of the flow data of the internet of things to obtain a plurality of target flow data clusters of the internet of things; and respectively calculating the similarity of the target characteristic vector and each reference characteristic vector in the reference characteristic vector set, and when the similarity of the target characteristic vector and the target reference characteristic vector is greater than a set threshold value, determining that the target characteristic vector is matched with the dangerous event, rapidly determining the dangerous event, intercepting the dangerous event, and providing a basis for safety protection of the Internet of things equipment.
EXAMPLE III
Fig. 3 is a flowchart of a security protection method for an internet of things device in a third embodiment of the present invention, which is a further refinement of the foregoing technical solutions, and the technical solution in this embodiment may be combined with various alternatives in one or more of the foregoing embodiments. As shown in fig. 3, the method for securing the internet of things device may include the following steps:
and 310, acquiring at least one piece of internet of things flow data corresponding to the target internet of things equipment.
And 320, screening the traffic data of the internet of things, determining at least one target internet of things traffic data cluster, and extracting target feature vectors of the traffic data clusters of the target internet of things.
Step 330, comparing the target feature vector with a preset reference feature vector set, and determining whether the target feature vector is matched with the dangerous event.
The reference feature vector set comprises a plurality of feature vectors of dangerous events.
And 340, adding the target feature vector of the target Internet of things traffic data into the reference feature vector set.
In an optional implementation manner of this embodiment, after determining that the target feature vector matches the dangerous event, the target feature vector of the target internet of things traffic data may be further added to the reference feature vector set, so that the diversity of the reference feature vectors in the reference feature vector set may be enriched, that is, the diversity of the dangerous event is enriched.
According to the scheme of the embodiment, after the target characteristic vector is determined to be matched with the dangerous event, the target characteristic vector of the target Internet of things flow data can be further added into the reference characteristic vector set, so that the diversity of the reference characteristic vector in the reference characteristic vector set can be enriched, namely, the diversity of the dangerous event is enriched, and a basis is provided for safety protection of the Internet of things equipment.
In order to enable those skilled in the art to better understand the security protection method of the internet of things device in the embodiment, a specific example is used for description below, and the specific process includes:
1. and the Internet of things flow data is acquired through the acquisition equipment.
In this embodiment, the acquisition device is responsible for acquiring original data, temporarily storing the original data, preprocessing the original data, and the like; the acquisition equipment can be realized by adopting a general server, and the rapid receiving, the rapid filtering and forwarding of data are realized by configuring a high-speed switching network card and a high-speed memory; the acquisition equipment configures the network card into a hybrid mode, can receive all data passing through the network card, and is not the acquisition equipment regardless of the destination address; the acquisition equipment removes interference flow aiming at the characteristics of the Internet of things protocol, screens out the Internet of things protocol and further analyzes the Internet of things protocol.
2. And processing the acquired traffic data of the Internet of things.
In an optional implementation manner of this embodiment, data traffic characteristics may be classified, high-frequency and abnormal access actions are mined from the data traffic characteristics, the data traffic characteristics are used as key monitoring objects, and the part of traffic is transmitted to the analysis processing device.
The analysis equipment is used for receiving the flow which is transmitted by the acquisition equipment and is preprocessed, and detection modules of Trojan horses, viruses, attack events and the like are arranged in the analysis equipment;
illustratively, the Trojan monitoring module matches the traffic characteristics with the Trojan connection characteristics and judges whether the traffic characteristics are Trojan control events or not; the virus monitoring module matches the flow bearing data with virus feature codes and judges the virus infection condition; the attack event module judges the generation situation of the attack event by matching the flow characteristics with the attack event source and the attack purpose.
Further, the data display module stores the result data for query and provides summary display; the result data query function supports query according to the specified IP address, the event type, the occurrence date and the like; the summary presentation includes region distribution, type statistics, and the like. The early warning and disposal equipment is usually arranged together and is responsible for sending out warning notice, disposing by combining with the acquisition equipment and the like; the early warning is mainly sent out by a system state page, a mail, a short message and the like; an alarm module for sending an alarm by mails and short messages and needing a butt joint response; the treatment instruction is sent by the early warning treatment equipment, and the instruction content comprises an IP to be treated, a treatment action and treatment time; the processing instruction is executed by the acquisition equipment, and specifically comprises bidirectional disconnection data packets and real-time feedback of a processing result to the early warning processing equipment.
In another optional implementation manner of this embodiment, when the processing device receives an attack event that needs to be protected, the processing device performs preliminary analysis on a session in a connection direction, and extracts information such as a source address, a source port, a destination address, a destination port, and the like; the carefully constructed fake TCP packets are simultaneously sent to the victim and the victim, so that both parties receive the session release request, and the session connection of the attack event is blocked; the detailed packet construction process includes: forging an IP data packet head, calculating an IP data packet checksum, forging a TCP packet head, calculating a TCP packet checksum and sending a data packet.
In another optional implementation manner of this embodiment, for a security event that has occurred, it is determined to extract a pest applier and a victim, perform deep analysis on the victim, analyze other network traffic session requests frequently associated with the victim, and determine whether the network traffic session requests also have a network attack behavior on the pest applier, thereby discovering a suspected pest applier; the method specifically comprises the steps of analyzing requests of a victim and other network sessions in a targeted manner, and judging whether the victim attacks a main body or not in a focused manner, so as to find a suspected victim; through the safety event development analysis, the safety event characteristics can be supplemented, and a blacklist library is accumulated.
According to the scheme of the embodiment, the network traffic of the Internet of things is acquired through the front-end network traffic sniffing equipment, the network traffic is cleaned, classified and analyzed, security events existing in the network are extracted, an alarm is given through a response means, network attack behaviors are blocked in time, and early warning and protection are provided for the Internet of things.
Example four
Fig. 4 is a schematic structural diagram of a safety protection device of an internet of things device in a fourth embodiment of the present invention, where the safety protection device can execute the safety protection method of the internet of things device in the foregoing embodiments. Referring to fig. 4, the apparatus includes: the system comprises an internet of things traffic data acquisition module 410, a target internet of things traffic data cluster determination module 420, a comparison module 430 and an interception module 440.
An internet of things traffic data obtaining module 410, configured to obtain at least one internet of things traffic data corresponding to a target internet of things device;
a target internet of things traffic data cluster determining module 420, configured to filter each internet of things traffic data, determine at least one target internet of things traffic data cluster, and extract a target feature vector of each target internet of things traffic data cluster;
a comparison module 430, configured to compare the target feature vector with a preset reference feature vector set, and determine whether the target feature vector matches a dangerous event, where the reference feature vector set includes feature vectors of multiple dangerous events;
an intercepting module 440, configured to intercept internet-of-things traffic data in a target internet-of-things traffic data cluster corresponding to the target feature vector if it is determined that the target feature vector matches a dangerous event.
According to the scheme of the embodiment, at least one piece of internet of things flow data corresponding to the target internet of things equipment is acquired through an internet of things flow data acquisition module; screening the flow data of the internet of things through a target internet of things flow data cluster determining module, determining at least one target internet of things flow data cluster, and extracting a target feature vector of each target internet of things flow data cluster; comparing the target characteristic vector with a preset reference characteristic vector set through a comparison module, and determining whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises characteristic vectors of a plurality of dangerous events; the Internet of things traffic data in the target Internet of things traffic data cluster is intercepted through the interception module,
in an optional implementation manner of this embodiment, the internet of things traffic data obtaining module 410 is specifically configured to obtain, through a probe set at a network node of the internet of things, traffic data of each internet of things sent to the target internet of things device and/or the target internet of things device.
In an optional implementation manner of this embodiment, the target internet of things traffic data cluster determining module 420 is specifically configured to
Acquiring a transmission protocol of each Internet of things flow data, and determining whether each transmission protocol is in a preset transmission protocol configuration table;
and if the first transmission protocol is not in the preset transmission protocol configuration table, rejecting the Internet of things traffic data corresponding to the first transmission protocol.
In an optional implementation manner of this embodiment, the target internet of things traffic data cluster determining module 420 is further specifically configured to
Clustering the flow data of the internet of things according to the attribute characteristics of the flow data of the internet of things to obtain a plurality of target flow data clusters of the internet of things;
the attribute characteristics include access time, transfer protocol, or number of accesses.
In an optional implementation manner of this embodiment, the comparing module 430 is specifically configured to
And respectively calculating the similarity of the target feature vector and each reference feature vector in the reference feature vector set, and when the similarity of the target feature vector and the target reference feature vector is greater than a set threshold value, determining that the target feature vector is matched with a dangerous event.
In an optional implementation manner of this embodiment, the interception module 440 is specifically configured to
Forbidding the internet of things traffic data in the target internet of things traffic data cluster from being sent to the target internet of things device,
and/or the presence of a gas in the gas,
and forbidding the target Internet of things equipment to send the Internet of things traffic data in the target Internet of things traffic data cluster.
In an optional implementation manner of this embodiment, the safety protection device of the internet of things device further includes an adding module, configured to add a target feature vector of the target internet of things traffic data to the reference feature vector set.
The safety protection device of the internet of things equipment provided by the embodiment of the invention can execute the safety protection method of the internet of things equipment provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention, as shown in fig. 5, the electronic device includes a processor 50, a memory 51, an input device 52, and an output device 53; the number of the processors 50 in the electronic device may be one or more, and one processor 50 is taken as an example in fig. 5; the processor 50, the memory 51, the input device 52 and the output device 53 in the electronic apparatus may be connected by a bus or other means, and the bus connection is exemplified in fig. 5.
The memory 51 is used as a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the security protection method of the internet of things device in the embodiment of the present invention (for example, the internet of things traffic data obtaining module 410, the target internet of things traffic data cluster determining module 420, the comparing module 430, and the intercepting module 440 in the security protection apparatus of the internet of things device). The processor 50 executes various functional applications and data processing of the electronic device by running software programs, instructions and modules stored in the memory 51, so as to implement the above-mentioned security protection method for the internet of things device.
The memory 51 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 51 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 51 may further include memory located remotely from the processor 50, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 52 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic apparatus. The output device 53 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for securing an internet of things device, where the method includes:
acquiring at least one internet of things flow data corresponding to a target internet of things device;
screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting a target feature vector of each target Internet of things flow data cluster;
comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises characteristic vectors of a plurality of dangerous events;
and if the target characteristic vector is determined to be matched with the dangerous event, intercepting the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the method for securing an internet of things device provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the safety protection device for the internet of things device, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be realized; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A safety protection method for Internet of things equipment is characterized by comprising the following steps:
acquiring at least one internet of things flow data corresponding to a target internet of things device;
screening the flow data of the Internet of things, determining at least one target Internet of things flow data cluster, and extracting a target feature vector of each target Internet of things flow data cluster;
comparing the target characteristic vector with a preset reference characteristic vector set to determine whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises characteristic vectors of a plurality of dangerous events;
and if the target characteristic vector is determined to be matched with the dangerous event, intercepting the Internet of things flow data in the target Internet of things flow data cluster corresponding to the target characteristic vector.
2. The method of claim 1, wherein the obtaining at least one internet of things traffic data corresponding to a target internet of things device comprises:
the method comprises the steps that a probe arranged at a network node of the Internet of things is used for acquiring and sending the data to the target Internet of things equipment and/or the flow data of the Internet of things sent by the target Internet of things equipment.
3. The method of claim 1, wherein the screening of each of the internet of things traffic data to determine at least one target internet of things traffic data cluster comprises:
acquiring a transmission protocol of each Internet of things flow data, and determining whether each transmission protocol is in a preset transmission protocol configuration table;
and if the first transmission protocol is not in the preset transmission protocol configuration table, rejecting the Internet of things traffic data corresponding to the first transmission protocol.
4. The method of claim 3, after culling the internet of things traffic data corresponding to the first transport protocol, further comprising:
clustering the flow data of the internet of things according to the attribute characteristics of the flow data of the internet of things to obtain a plurality of target flow data clusters of the internet of things;
the attribute characteristics include access time, transfer protocol, or number of accesses.
5. The method of claim 1, wherein comparing the target feature vector to a set of predetermined reference feature vectors to determine whether the target feature vector matches a dangerous event comprises:
and respectively calculating the similarity of the target feature vector and each reference feature vector in the reference feature vector set, and when the similarity of the target feature vector and the target reference feature vector is greater than a set threshold value, determining that the target feature vector is matched with a dangerous event.
6. The method according to claim 1, wherein intercepting the internet of things traffic data in the target internet of things traffic data cluster corresponding to the target eigenvector comprises:
forbidding the internet of things traffic data in the target internet of things traffic data cluster from being sent to the target internet of things device,
and/or the presence of a gas in the gas,
and forbidding the target Internet of things equipment to send the Internet of things traffic data in the target Internet of things traffic data cluster.
7. The method of claim 1, after determining whether the target feature vector matches a dangerous event, further comprising:
and adding the target feature vector of the target Internet of things traffic data into the reference feature vector set.
8. The utility model provides a safety device of thing networking device which characterized in that includes:
the internet of things traffic data acquisition module is used for acquiring at least one piece of internet of things traffic data corresponding to the target internet of things device;
the target Internet of things traffic data cluster determining module is used for screening the Internet of things traffic data, determining at least one target Internet of things traffic data cluster and extracting a target feature vector of each target Internet of things traffic data cluster;
the comparison module is used for comparing the target characteristic vector with a preset reference characteristic vector set and determining whether the target characteristic vector is matched with a dangerous event, wherein the reference characteristic vector set comprises a plurality of characteristic vectors of the dangerous event;
and the intercepting module is used for intercepting the Internet of things traffic data in the target Internet of things traffic data cluster corresponding to the target characteristic vector if the target characteristic vector is determined to be matched with the dangerous event.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of securing internet of things devices as recited in any one of claims 1-7.
10. A storage medium containing computer-executable instructions, which when executed by a computer processor, perform a method of securing internet of things devices as recited in any one of claims 1-7.
CN202110063733.XA 2021-01-18 2021-01-18 Safety protection method, device, equipment and storage medium for Internet of things equipment Active CN112769847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110063733.XA CN112769847B (en) 2021-01-18 2021-01-18 Safety protection method, device, equipment and storage medium for Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110063733.XA CN112769847B (en) 2021-01-18 2021-01-18 Safety protection method, device, equipment and storage medium for Internet of things equipment

Publications (2)

Publication Number Publication Date
CN112769847A true CN112769847A (en) 2021-05-07
CN112769847B CN112769847B (en) 2022-10-14

Family

ID=75702843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110063733.XA Active CN112769847B (en) 2021-01-18 2021-01-18 Safety protection method, device, equipment and storage medium for Internet of things equipment

Country Status (1)

Country Link
CN (1) CN112769847B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781389A (en) * 2023-07-18 2023-09-19 山东溯源安全科技有限公司 Determination method of abnormal data list, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018232976A1 (en) * 2017-06-19 2018-12-27 深圳市盛路物联通讯技术有限公司 Terminal device operating status determination method and device
CN109413091A (en) * 2018-11-20 2019-03-01 中国联合网络通信集团有限公司 A kind of network security monitoring method and apparatus based on internet-of-things terminal
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110430212A (en) * 2019-08-14 2019-11-08 杭州安恒信息技术股份有限公司 The Internet of Things of multivariate data fusion threatens cognitive method and system
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018232976A1 (en) * 2017-06-19 2018-12-27 深圳市盛路物联通讯技术有限公司 Terminal device operating status determination method and device
CN109413091A (en) * 2018-11-20 2019-03-01 中国联合网络通信集团有限公司 A kind of network security monitoring method and apparatus based on internet-of-things terminal
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110430212A (en) * 2019-08-14 2019-11-08 杭州安恒信息技术股份有限公司 The Internet of Things of multivariate data fusion threatens cognitive method and system
CN112134893A (en) * 2020-09-25 2020-12-25 杭州迪普科技股份有限公司 Internet of things safety protection method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781389A (en) * 2023-07-18 2023-09-19 山东溯源安全科技有限公司 Determination method of abnormal data list, electronic equipment and storage medium
CN116781389B (en) * 2023-07-18 2023-12-22 山东溯源安全科技有限公司 Determination method of abnormal data list, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112769847B (en) 2022-10-14

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
CN104937886B (en) Log analysis device, information processing method
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
US10261502B2 (en) Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model
CN102624696B (en) Network security situation evaluation method
KR100942456B1 (en) Method for detecting and protecting ddos attack by using cloud computing and server thereof
CN111277587A (en) Malicious encrypted traffic detection method and system based on behavior analysis
CN111935170A (en) Network abnormal flow detection method, device and equipment
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN101213812A (en) Method for defending against denial of service attacks in IP networks by target victim self-identification and control
CN106302450A (en) A kind of based on the malice detection method of address and device in DDOS attack
CN112769833B (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN111709034A (en) Machine learning-based industrial control environment intelligent safety detection system and method
CN113079150B (en) Intrusion detection method for power terminal equipment
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN110188538A (en) Using the method and device of sandbox cluster detection data
Chen et al. Intrusion detection using a hybrid support vector machine based on entropy and TF-IDF
CN112769847B (en) Safety protection method, device, equipment and storage medium for Internet of things equipment
CN107493258A (en) A kind of intruding detection system based on network security
KR101488271B1 (en) Apparatus and method for ids false positive detection
KR20190027122A (en) Apparatus and method for analyzing network attack pattern
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
CN115484326A (en) Method, system and storage medium for processing data
Sabri et al. Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system
KR100977827B1 (en) Apparatus and method detecting connection mailcious web server system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant