CN112861124A - Terminal anti-intrusion detection method and device - Google Patents
Terminal anti-intrusion detection method and device Download PDFInfo
- Publication number
- CN112861124A CN112861124A CN202110133560.4A CN202110133560A CN112861124A CN 112861124 A CN112861124 A CN 112861124A CN 202110133560 A CN202110133560 A CN 202110133560A CN 112861124 A CN112861124 A CN 112861124A
- Authority
- CN
- China
- Prior art keywords
- contact
- invasion
- terminal
- preset
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 230000001740 anti-invasion Effects 0.000 claims abstract description 149
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 20
- 230000008859 change Effects 0.000 claims description 18
- 230000002265 prevention Effects 0.000 claims description 11
- 230000009545 invasion Effects 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 11
- 230000001960 triggered effect Effects 0.000 description 8
- 238000013461 design Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 230000035939 shock Effects 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 239000000853 adhesive Substances 0.000 description 1
- 230000001070 adhesive effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 230000007797 corrosion Effects 0.000 description 1
- 238000005260 corrosion Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses an anti-intrusion detection method and device for a terminal, wherein the method comprises the following steps: acquiring target disconnection gap data of each anti-intrusion contact within a preset time period aiming at any anti-intrusion contact in each anti-intrusion contact of the terminal; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts; if the target disconnection gap data meet the preset physical attack standard, outputting a physical attack signal serving as a contact signal of the anti-invasion contact; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack; and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts.
Description
Technical Field
The invention relates to the technical field of information security, in particular to an anti-intrusion detection method and device for a terminal.
Background
The anti-intrusion detection mechanism is a security mechanism provided for a terminal (such as a financial payment terminal). The terminal can be attacked by external malicious physical attacks, such as a power-off attack. Through an anti-intrusion detection mechanism, the terminal can automatically detect an attack behavior and timely adopts security defense means such as terminal master key erasure and terminal application locking, so that the privacy security of sensitive data in the terminal is protected.
The main principle of the intrusion detection mechanism is specifically as follows: a circuit board of the terminal is provided with a plurality of anti-invasion contacts, and a safety chip (SE) is adopted to monitor the working state of each anti-invasion contact in real time. When an external attacker tries to open a terminal shell and carry out malicious physical attack on the terminal by adopting the modes of drilling, laser, chemical corrosion and the like, a circuit where an anti-intrusion contact is located is disconnected, so that an anti-intrusion triggering signal is generated, after the anti-intrusion signal is received by the security chip, sensitive data such as a secret key and the like stored in the chip can be immediately erased, the terminal is enabled to be in a locked state, and the terminal can be restarted only after a terminal management party is reset and activated, so that the privacy security of the sensitive data is protected.
In the current anti-intrusion detection method, an anti-intrusion contact of a terminal is usually set sensitively, and an anti-intrusion signal can be triggered as long as the outside of the terminal is attacked by malicious physics. But this is relied upon and the probability of false triggering of the intrusion detection mechanism is also significantly increased. Such as impact shock during transportation and use of the terminal, may also cause the intrusion detection mechanism to be falsely triggered. Therefore, how to reduce the probability of false triggering of the intrusion detection mechanism is a problem faced by the security design of the terminal.
Disclosure of Invention
The invention provides an anti-intrusion detection method and device for a terminal, which solve the problem that an anti-intrusion detection mechanism is triggered by mistake in the prior art.
In a first aspect, the present invention provides an anti-intrusion detection method for a terminal, including:
acquiring target disconnection gap data of each anti-intrusion contact within a preset time period aiming at any anti-intrusion contact in each anti-intrusion contact of the terminal; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts;
if the target disconnection gap data meet the preset physical attack standard, outputting a physical attack signal serving as a contact signal of the anti-invasion contact; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack;
and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts.
According to the method, physical attack signals are not output as soon as each anti-invasion contact is disconnected, target disconnection gap data of the anti-invasion contacts within preset time can be obtained for any anti-invasion contact, the times and/or interval duration of disconnection of the anti-invasion contacts within the preset time are comprehensively considered, the anti-invasion contacts are compared with preset physical attack standards, and the physical attack signals are output as the contact signals of the anti-invasion contacts according with the preset physical attack standards, so that the physical attack signals of the anti-invasion contacts can be more accurately output, and then whether the terminal is invaded or not is more accurately determined at least according to the contact signals output by the anti-invasion contacts.
Optionally, each anti-intrusion contact corresponds to a trusted factor; the credible factor of any anti-invasion contact represents the accuracy of the physical attack signal output by the anti-invasion contact; determining whether the terminal is invaded according to at least the contact signals output by the anti-invasion contacts, comprising:
determining at least one anti-invasion contact which outputs a physical attack signal in each anti-invasion contact at least according to the contact signal output by each anti-invasion contact;
and determining whether the terminal is invaded or not at least according to the credible factor corresponding to the at least one anti-invasion contact.
According to the method, the credible factors are set for the anti-invasion contacts, so that the accuracy of outputting the physical attack signals by each anti-invasion contact can be quantized, whether the terminal is invaded or not is comprehensively considered according to the accuracy of different anti-invasion contacts, and the accuracy of anti-invasion detection is improved.
Optionally, the credible factors of the anti-intrusion contacts correspond to the weight values; determining whether the terminal is invaded according to the credible factor corresponding to the at least one invasion preventing contact at least, comprising:
determining a credible weighted average value of the credible factors of the at least one anti-intrusion contact according to the credible factors corresponding to the at least one anti-intrusion contact and the weight values corresponding to the credible factors;
if the credible weighted average value is larger than a preset credible threshold value, determining that the terminal is invaded; otherwise, determining that the terminal is not invaded.
In the method, the credible factors of the anti-intrusion contacts correspond to the weight values, and the reference value of the physical attack signal output by each anti-intrusion contact can be quantized, so that whether the terminal is invaded or not is comprehensively considered according to the credible factors of the weight values of different anti-intrusion contacts, and the accuracy of anti-intrusion detection is improved.
Optionally, the method further includes:
acquiring electrical characteristic change data of the anti-invasion contacts within the preset time period aiming at any anti-invasion contact in the anti-invasion contacts;
determining whether the terminal is invaded according to at least the contact signals output by the anti-invasion contacts, comprising:
and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts and the electrical characteristic change data of the anti-invasion contacts.
In the mode, whether the terminal is invaded or not is determined together by adding the electrical characteristic change data and the contact signals output by the anti-invasion contacts, so that the accuracy of anti-invasion detection is improved.
Optionally, the target disconnection gap data specifically includes: the times of the anti-invasion contacts being disconnected within the preset time length and the interval time length between every two continuous disconnections of the anti-invasion contacts are set; the anti-invasion contact is disconnected for multiple times within the preset time length; determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the times of disconnection of the anti-invasion contact in the preset time length are not less than the preset times, and the time length of the interval between every two continuous disconnection of the anti-invasion contact is not more than the preset interval time length, determining that the target disconnection gap data accords with the preset physical attack standard.
In the mode, the number of times of disconnection of a section of preset time length and the interval time length between every two continuous disconnection of the anti-intrusion contact are observed, and under the condition of multiple disconnection, the target disconnection gap data are determined to accord with the preset physical attack standard through the preset number of times and the interval time length, so that the target disconnection gap data are comprehensively judged through the disconnection condition in the preset time length and are more reliable.
Optionally, the target disconnection gap data further includes a duration of disconnection of the intrusion prevention contact within the preset duration; the target disconnection gap data specifically comprises the disconnection times of the anti-intrusion contact within the preset time length and the disconnection duration time of the anti-intrusion contact within the preset time length; the number of times that the anti-invasion contact is disconnected within the preset time length is single; determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the continuous time of the anti-invasion contact which is disconnected within the preset time is not less than the preset time threshold, determining that the target disconnection gap data meets the preset physical attack standard.
In the mode, the number of times of disconnection with the preset time length and the interval time length between every two continuous disconnections of the anti-intrusion contact are observed, under the condition of single disconnection, the disconnection duration is not less than the preset time length threshold value, the target disconnection gap data are determined to accord with the preset physical attack standard, therefore, even if only one disconnection is carried out, the duration is considered, and the judgment result is more reliable.
Optionally, the method further includes:
if the target disconnection gap data meet a preset mistaken touch standard, outputting a mistaken touch signal as a contact signal of the anti-invasion contact; the preset mistaken touch standard is determined according to a data distribution rule of historical disconnection gap data when the terminal is touched by mistake.
In the above mode, the preset mistaken touch standard is set by analyzing the data distribution rule of historical disconnection gap data, so that the mistaken touch signal can be timely judged, and the mistaken touch situation and the invasion situation are distinguished.
In a second aspect, the present invention provides an anti-intrusion detection apparatus for a terminal, including:
the terminal comprises an acquisition module, a processing module and a control module, wherein the acquisition module is used for acquiring target disconnection gap data of each anti-invasion contact of the terminal within a preset time length aiming at any anti-invasion contact; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts;
the processing module is used for outputting a physical attack signal as a contact signal of the anti-invasion contact if the target disconnection gap data meets a preset physical attack standard; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack;
and the anti-intrusion device is also used for determining whether the terminal is invaded or not at least according to the contact signal output by each anti-intrusion contact.
Optionally, each anti-intrusion contact corresponds to a trusted factor; the credible factor of any anti-invasion contact represents the accuracy of the physical attack signal output by the anti-invasion contact; the processing module is specifically configured to:
determining at least one anti-invasion contact which outputs a physical attack signal in each anti-invasion contact at least according to the contact signal output by each anti-invasion contact;
and determining whether the terminal is invaded or not at least according to the credible factor corresponding to the at least one anti-invasion contact.
Optionally, the credible factors of the anti-intrusion contacts correspond to the weight values; the processing module is specifically configured to:
determining a credible weighted average value of the credible factors of the at least one anti-intrusion contact according to the credible factors corresponding to the at least one anti-intrusion contact and the weight values corresponding to the credible factors;
if the credible weighted average value is larger than a preset credible threshold value, determining that the terminal is invaded; otherwise, determining that the terminal is not invaded.
Optionally, the processing module is further configured to: acquiring electrical characteristic change data of the anti-invasion contacts within the preset time period aiming at any anti-invasion contact in the anti-invasion contacts; the processing module is specifically configured to: and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts and the electrical characteristic change data of the anti-invasion contacts.
Optionally, the target disconnection gap data specifically includes: the times of the anti-invasion contacts being disconnected within the preset time length and the interval time length between every two continuous disconnections of the anti-invasion contacts are set; the anti-invasion contact is disconnected for multiple times within the preset time length; the processing module is specifically configured to:
determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the times of disconnection of the anti-invasion contact in the preset time length are not less than the preset times, and the time length of the interval between every two continuous disconnection of the anti-invasion contact is not more than the preset interval time length, determining that the target disconnection gap data accords with the preset physical attack standard.
Optionally, the target disconnection gap data further includes a duration of disconnection of the intrusion prevention contact within the preset duration; the target disconnection gap data specifically comprises the disconnection times of the anti-intrusion contact within the preset time length and the disconnection duration time of the anti-intrusion contact within the preset time length; the number of times that the anti-invasion contact is disconnected within the preset time length is single; the processing module is specifically configured to:
determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the continuous time of the anti-invasion contact which is disconnected within the preset time is not less than the preset time threshold, determining that the target disconnection gap data meets the preset physical attack standard.
Optionally, the processing module is further configured to:
if the target disconnection gap data meet a preset mistaken touch standard, outputting a mistaken touch signal as a contact signal of the anti-invasion contact; the preset mistaken touch standard is determined according to a data distribution rule of historical disconnection gap data when the terminal is touched by mistake.
The advantageous effects of the second aspect and the various optional apparatuses of the second aspect may refer to the advantageous effects of the first aspect and the various optional methods of the first aspect, and are not described herein again.
In a third aspect, the present invention provides a computer device comprising a program or instructions for performing the method of the first aspect and the alternatives of the first aspect when the program or instructions are executed.
In a fourth aspect, the present invention provides a storage medium comprising a program or instructions which, when executed, is adapted to perform the method of the first aspect and the alternatives of the first aspect.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic flowchart illustrating steps corresponding to an anti-intrusion detection method for a terminal according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a system architecture corresponding to a method for detecting intrusion of a terminal according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a system architecture corresponding to an intrusion detection method for a terminal according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a system architecture corresponding to an intrusion detection method for a terminal according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an intrusion detection prevention device of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides an anti-intrusion detection method for a terminal.
Step 101: and acquiring target disconnection gap data of the anti-invasion contacts within a preset time period aiming at any anti-invasion contact in the anti-invasion contacts of the terminal.
Step 102: and if the target disconnection gap data accords with a preset physical attack standard, outputting a physical attack signal as a contact signal of the anti-invasion contact.
Step 103: and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts.
In the method of step 101 to step 103, the target open gap data includes: and the times of disconnection of the anti-invasion contact in the preset time length and/or the interval time length between every two continuous disconnection of the anti-invasion contact. The preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack.
It should be noted that "opening" of the intrusion prevention contact (which may be referred to as a contact for short in this application) does not mean that the circuit is physically broken, but the intrusion prevention contact is set to be sensitive by an electrical means, and if the intrusion prevention contact touches the circuit, a signal of the circuit is changed instantaneously, for example, a high level is output normally, and a low level is output when the intrusion prevention contact is physically attacked.
It should be noted that target disconnection gap data can only the prevent invading contact is in the number of times of disconnection in the preset duration, also can only the prevent invading contact is in the interval duration between the disconnection twice every succession, or existing the prevent invading contact is in the number of times of disconnection in the preset duration, also has the prevent invading contact is in the interval duration between the disconnection twice every succession.
For example, a threshold of the number of disconnections may be set, and the target disconnection gap data is determined to meet the preset physical attack standard when the threshold of the number of disconnections is exceeded. For another example, a set interval duration threshold may be set, and if some interval duration exceeds the set interval duration threshold, it is determined that the target disconnection gap data meets a preset physical attack standard.
The preset physical attack standard is only an example, and may be flexibly set according to a scene, and is not specifically limited herein.
In an optional implementation, the target disconnection gap data specifically includes: the times of the anti-invasion contacts being disconnected within the preset time length and the interval time length between every two continuous disconnections of the anti-invasion contacts are set; the anti-invasion contact is disconnected for multiple times within the preset time length; in step 102, it is determined that the target disconnection gap data meets the preset physical attack standard in the following manner:
and if the times of disconnection of the anti-invasion contact in the preset time length are not less than the preset times, and the time length of the interval between every two continuous disconnection of the anti-invasion contact is not more than the preset interval time length, determining that the target disconnection gap data accords with the preset physical attack standard.
For example, the number of times that the anti-intrusion contact is disconnected within the preset time is 10 times, and the interval time between every two consecutive disconnections of the anti-intrusion contact is 3 times 5 seconds, 4 times 6 seconds and 4 times 7 seconds, the preset number of times is 8 times, and the preset interval time is 3 seconds.
Then the target disconnection gap data is determined to meet the predetermined physical attack criteria.
In an optional embodiment, the target open gap data further includes a duration of the opening of the intrusion prevention contact within the preset duration; the target disconnection gap data specifically comprises the disconnection times of the anti-intrusion contact within the preset time length and the disconnection duration time of the anti-intrusion contact within the preset time length; the number of times that the anti-invasion contact is disconnected within the preset time length is single; in step 102, it is determined that the target disconnection gap data meets the preset physical attack standard in the following manner:
and if the continuous time of the anti-invasion contact which is disconnected within the preset time is not less than the preset time threshold, determining that the target disconnection gap data meets the preset physical attack standard.
For example, the anti-intrusion contact is only disconnected once within 15 seconds of the preset time, the duration of disconnection of the anti-intrusion contact within the preset time is 10 seconds, and the preset time threshold is 7 seconds, it is determined that the target disconnection gap data meets the preset physical attack standard.
In an optional implementation manner, if the target disconnection gap data meets a preset mis-touch standard, a mis-touch signal is output as a contact signal of the anti-intrusion contact; the preset mistaken touch standard is determined according to a data distribution rule of historical disconnection gap data when the terminal is touched by mistake.
For example, the data distribution rule of the historical disconnection gap data when the terminal is touched by mistake is that the interval duration between every two continuous disconnections is greater than 5 seconds, and the disconnection times within the preset duration is less than or equal to 2 times.
In an optional embodiment, each anti-intrusion contact corresponds to a credible factor; the credible factor of any anti-invasion contact represents the accuracy of the physical attack signal output by the anti-invasion contact; step 103 may specifically be as follows:
determining at least one anti-invasion contact which outputs a physical attack signal in each anti-invasion contact at least according to the contact signal output by each anti-invasion contact; and determining whether the terminal is invaded or not at least according to the credible factor corresponding to the at least one anti-invasion contact.
For example, at least one of the anti-intrusion contacts outputting the physical attack signal is: an anti-invasion contact 1 and an anti-invasion contact 2; the confidence factor of the anti-intrusion contact 1 is 40, and the confidence factor of the anti-intrusion contact 2 is 50. Determining whether the terminal is invaded according to at least the credible factor corresponding to the at least one anti-invasion contact may be: whether the sum of the confidence factors of at least one anti-intrusion contact is greater than a threshold value of the sum of the preset confidence factors.
It should be noted that, in an optional embodiment, the confidence factor of each intrusion prevention contact corresponds to a weight value; and determining whether the terminal is invaded at least according to the credible factor corresponding to the at least one invasion preventing contact, which specifically comprises the following steps:
and determining a credible weighted average value of the credible factors of the at least one anti-intrusion contact at least according to the credible factors corresponding to the at least one anti-intrusion contact and the weight values corresponding to the credible factors.
If the credible weighted average value is larger than a preset credible threshold value, determining that the terminal is invaded; otherwise, determining that the terminal is not invaded.
For example, at least one of the anti-intrusion contacts outputting the physical attack signal is: an anti-invasion contact 1 and an anti-invasion contact 2; the credible factor of the anti-invasion contact 1 is 40, the weight value is 0.3, the credible factor of the anti-invasion contact 2 is 50, the weight value is 0.5, and the preset credible threshold value is 35.
Then the trusted weighted average value is 0.3 × 40+0.5 × 50 × 37, and is greater than 35, it is determined that the terminal is involved in the intrusion; otherwise, if the preset credibility threshold is set to be 50, determining that the terminal is not invaded.
In an optional implementation manner, the electrical characteristic change data of the anti-intrusion contact points within the preset time length can be acquired for any anti-intrusion contact point in the anti-intrusion contact points. Step 103 may be specifically performed in the following manner:
and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts and the electrical characteristic change data of the anti-invasion contacts.
The electrical characteristic change data may be a change amount of resistance or capacitance.
The following describes in detail an anti-intrusion detection method for a terminal according to the present invention with reference to fig. 2.
As shown in fig. 2, most of the contact short opening time caused by vibration during transportation and use is generally in the order of milliseconds, and the contact opening time caused by physical attack is generally in the order of seconds.
In the mode shown in fig. 2, a signal judgment module and a signal analysis module are arranged, and different sampling counting intervals are set, so that the condition that the contact is momentarily disconnected in the transportation and use processes can be correctly identified, and the false triggering of an anti-intrusion mechanism is avoided. The contact signal analysis module is positioned in front of the signal judgment module and mainly has the function of sampling and counting each path of signals.
It should be noted that, according to laboratory data analysis, if the contact connection is disconnected due to shock or impact during transportation or use, multiple times of disconnection-connection-disconnection and the like are generally generated, and the intervals are many, which are measured in milliseconds (tens to hundreds of milliseconds), and the very few of the intervals reach the second level. Such characteristics are generally difficult for an attacker to mimic while attacking the terminal.
Thus, the setting of the counting algorithm is: when the contact signal fluctuates for one or more milliseconds, the contact signal is set as a false touch signal and is not transmitted to the signal judgment module for logic and operation; when the second-level fluctuation condition of the contact signal occurs, the contact signal is set as a physical attack signal and is transmitted to the signal judgment module to carry out logic AND operation.
Further, one possible implementation may be the scenario illustrated in fig. 3.
In the manner shown in fig. 3, the electrical characteristics of the contact mainly include various parameters such as resistance, capacitance, inductance, frequency, etc., and if the false triggering occurs, the electrical characteristics of the contact usually do not change greatly, or the change can be analyzed through a large number of experiments to obtain quantitative data, which can be used as a condition for judging whether the anti-intrusion contact is false triggered.
However, if the terminal is attacked by man-made malicious attacks, in order to prevent the terminal security mechanism from being triggered, an attacker generally adopts a physical or chemical method to perform short circuit processing on the contact, and implanting conductive adhesive or other conductive materials is a common method, and at this time, electrical characteristics of the contact, such as resistance, capacitance, and the like, generally change significantly, and by setting an electrical judgment standard (for example, by setting a judgment threshold value of electrical characteristic change), it can be judged that the contact signal is from being falsely triggered or the attacker.
Further, one possible implementation may be the situation shown in fig. 4.
As shown in fig. 4, the terminal background is mainly used for terminal management, and may be connected in a wired or wireless manner. When the terminal is triggered by an anti-intrusion mechanism in the using process, the key is erased and the terminal is locked, and besides, the relevant information such as the states of all contacts and electrical information (resistance/capacitance change) of the terminal is recorded and uploaded to a terminal background when the terminal is maintained and reactivated.
After collecting a large amount of information transmitted by the terminal, the terminal background analyzes the data to form quantized credible factors (such as 0-100 reference values) of each contact, and when the terminal restarts the connected terminal background, the credible factors are issued to the terminal for assisting in judging the trigger signal.
The analysis method can effectively reduce a large number of false triggering problems caused by structural design defects, such as: when the information sent by a large number of terminals all points to the same contact, and the contact is confirmed to be easily triggered by external vibration or impact due to the problems of structural design and the like through laboratory analysis, the credible factor of the contact can be properly reduced.
Under extreme conditions, for example, the contact structure design defect results in extremely sensitive to vibration, all safety trigger information comes from the contact, so under the condition that the overall safety is not affected (usually, a terminal is provided with a plurality of anti-intrusion contacts and has safety design redundancy), the confidence factor of the contact can be set to be 0, that is, the contact is not used as the basis for judging whether the contact is mistakenly touched, and the terminal which is distributed on the market can not take the contact signal as the judgment source any more. Meanwhile, the contact structure design should be optimized in the subsequent product design.
As shown in fig. 5, the present invention provides an intrusion detection device for a terminal, including:
an obtaining module 501, configured to obtain, for any one of anti-intrusion contacts of a terminal, target disconnection gap data of the anti-intrusion contact within a preset time period; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts;
a processing module 502, configured to output a physical attack signal as a contact signal of the anti-intrusion contact if the target disconnection gap data meets a preset physical attack standard; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack;
and the anti-intrusion device is also used for determining whether the terminal is invaded or not at least according to the contact signal output by each anti-intrusion contact.
Optionally, each anti-intrusion contact corresponds to a trusted factor; the credible factor of any anti-invasion contact represents the accuracy of the physical attack signal output by the anti-invasion contact; the processing module 502 is specifically configured to:
determining at least one anti-invasion contact which outputs a physical attack signal in each anti-invasion contact at least according to the contact signal output by each anti-invasion contact;
and determining whether the terminal is invaded or not at least according to the credible factor corresponding to the at least one anti-invasion contact.
Optionally, the credible factors of the anti-intrusion contacts correspond to the weight values; the processing module 502 is specifically configured to:
determining a credible weighted average value of the credible factors of the at least one anti-intrusion contact according to the credible factors corresponding to the at least one anti-intrusion contact and the weight values corresponding to the credible factors;
if the credible weighted average value is larger than a preset credible threshold value, determining that the terminal is invaded; otherwise, determining that the terminal is not invaded.
Optionally, the processing module 502 is further configured to: acquiring electrical characteristic change data of the anti-invasion contacts within the preset time period aiming at any anti-invasion contact in the anti-invasion contacts; the processing module 502 is specifically configured to: and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts and the electrical characteristic change data of the anti-invasion contacts.
Optionally, the target disconnection gap data specifically includes: the times of the anti-invasion contacts being disconnected within the preset time length and the interval time length between every two continuous disconnections of the anti-invasion contacts are set; the anti-invasion contact is disconnected for multiple times within the preset time length; the processing module 502 is specifically configured to:
determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the times of disconnection of the anti-invasion contact in the preset time length are not less than the preset times, and the time length of the interval between every two continuous disconnection of the anti-invasion contact is not more than the preset interval time length, determining that the target disconnection gap data accords with the preset physical attack standard.
Optionally, the target disconnection gap data further includes a duration of disconnection of the intrusion prevention contact within the preset duration; the target disconnection gap data specifically comprises the disconnection times of the anti-intrusion contact within the preset time length and the disconnection duration time of the anti-intrusion contact within the preset time length; the number of times that the anti-invasion contact is disconnected within the preset time length is single; the processing module 502 is specifically configured to:
determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the continuous time of the anti-invasion contact which is disconnected within the preset time is not less than the preset time threshold, determining that the target disconnection gap data meets the preset physical attack standard.
Optionally, the processing module 502 is further configured to:
if the target disconnection gap data meet a preset mistaken touch standard, outputting a mistaken touch signal as a contact signal of the anti-invasion contact; the preset mistaken touch standard is determined according to a data distribution rule of historical disconnection gap data when the terminal is touched by mistake.
Based on the same inventive concept, embodiments of the present invention also provide a computer device, which includes a program or instructions, and when the program or instructions are executed, the method for detecting intrusion of a terminal and any optional method provided by the embodiments of the present invention are executed.
Based on the same inventive concept, embodiments of the present invention also provide a computer-readable storage medium, which includes a program or instructions, and when the program or instructions are executed, the method for detecting intrusion of a terminal and any optional method provided by the embodiments of the present invention are executed.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. An anti-intrusion detection method of a terminal is characterized by comprising the following steps:
acquiring target disconnection gap data of each anti-intrusion contact within a preset time period aiming at any anti-intrusion contact in each anti-intrusion contact of the terminal; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts;
if the target disconnection gap data meet the preset physical attack standard, outputting a physical attack signal serving as a contact signal of the anti-invasion contact; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack;
and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts.
2. The method of claim 1, wherein each intrusion-prevention contact corresponds to a trustworthiness factor; the credible factor of any anti-invasion contact represents the accuracy of the physical attack signal output by the anti-invasion contact; determining whether the terminal is invaded according to at least the contact signals output by the anti-invasion contacts, comprising:
determining at least one anti-invasion contact which outputs a physical attack signal in each anti-invasion contact at least according to the contact signal output by each anti-invasion contact;
and determining whether the terminal is invaded or not at least according to the credible factor corresponding to the at least one anti-invasion contact.
3. The method of claim 2, wherein the confidence factor for each anti-intrusion contact corresponds to a weight value; determining whether the terminal is invaded according to the credible factor corresponding to the at least one invasion preventing contact at least, comprising:
determining a credible weighted average value of the credible factors of the at least one anti-intrusion contact according to the credible factors corresponding to the at least one anti-intrusion contact and the weight values corresponding to the credible factors;
if the credible weighted average value is larger than a preset credible threshold value, determining that the terminal is invaded; otherwise, determining that the terminal is not invaded.
4. The method of claim 1, wherein the method further comprises:
acquiring electrical characteristic change data of the anti-invasion contacts within the preset time period aiming at any anti-invasion contact in the anti-invasion contacts;
determining whether the terminal is invaded according to at least the contact signals output by the anti-invasion contacts, comprising:
and determining whether the terminal is invaded or not at least according to the contact signals output by the anti-invasion contacts and the electrical characteristic change data of the anti-invasion contacts.
5. The method according to any of claims 1 to 4, wherein the target opening gap data specifically comprises: the times of the anti-invasion contacts being disconnected within the preset time length and the interval time length between every two continuous disconnections of the anti-invasion contacts are set; the anti-invasion contact is disconnected for multiple times within the preset time length; determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the times of disconnection of the anti-invasion contact in the preset time length are not less than the preset times, and the time length of the interval between every two continuous disconnection of the anti-invasion contact is not more than the preset interval time length, determining that the target disconnection gap data accords with the preset physical attack standard.
6. The method of any one of claims 1 to 4, wherein the target opening gap data further includes a duration of time that the anti-intrusion contact is opened within the preset duration of time; the target disconnection gap data specifically comprises the disconnection times of the anti-intrusion contact within the preset time length and the disconnection duration time of the anti-intrusion contact within the preset time length; the number of times that the anti-invasion contact is disconnected within the preset time length is single; determining that the target disconnection gap data meets the preset physical attack standard according to the following modes:
and if the continuous time of the anti-invasion contact which is disconnected within the preset time is not less than the preset time threshold, determining that the target disconnection gap data meets the preset physical attack standard.
7. The method of any of claims 1 to 4, further comprising:
if the target disconnection gap data meet a preset mistaken touch standard, outputting a mistaken touch signal as a contact signal of the anti-invasion contact; the preset mistaken touch standard is determined according to a data distribution rule of historical disconnection gap data when the terminal is touched by mistake.
8. An intrusion detection prevention apparatus of a terminal, comprising:
the terminal comprises an acquisition module, a processing module and a control module, wherein the acquisition module is used for acquiring target disconnection gap data of each anti-invasion contact of the terminal within a preset time length aiming at any anti-invasion contact; the target disconnection gap data includes: the times of the anti-invasion contacts being disconnected within the preset time length and/or the interval time length between two continuous disconnections of the anti-invasion contacts;
the processing module is used for outputting a physical attack signal as a contact signal of the anti-invasion contact if the target disconnection gap data meets a preset physical attack standard; the preset physical attack standard is determined according to the data distribution rule of historical disconnection gap data when the terminal is subjected to actual physical attack;
and the anti-intrusion device is also used for determining whether the terminal is invaded or not at least according to the contact signal output by each anti-intrusion contact.
9. A computer device comprising a program or instructions that, when executed, perform the method of any of claims 1 to 7.
10. A computer-readable storage medium comprising a program or instructions which, when executed, perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110133560.4A CN112861124A (en) | 2021-02-01 | 2021-02-01 | Terminal anti-intrusion detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110133560.4A CN112861124A (en) | 2021-02-01 | 2021-02-01 | Terminal anti-intrusion detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112861124A true CN112861124A (en) | 2021-05-28 |
Family
ID=75987267
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110133560.4A Pending CN112861124A (en) | 2021-02-01 | 2021-02-01 | Terminal anti-intrusion detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112861124A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174080A (en) * | 2022-09-07 | 2022-10-11 | 北京安盟信息技术股份有限公司 | Key protection method and device |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101261663A (en) * | 2007-03-06 | 2008-09-10 | 国际商业机器公司 | Method and system for protection of secure electronic modules against attacks |
| CN103902934A (en) * | 2012-12-26 | 2014-07-02 | 研祥智能科技股份有限公司 | Computer case disassembling prevention detecting method and device |
| CN104268466A (en) * | 2014-09-15 | 2015-01-07 | 福建联迪商用设备有限公司 | Anti-invasion electronic device and anti-invasion method thereof |
| CN104408386A (en) * | 2014-11-25 | 2015-03-11 | 深圳长城开发科技股份有限公司 | Anti-dismounting protective device |
| CN206619241U (en) * | 2017-03-13 | 2017-11-07 | 深圳怡化电脑股份有限公司 | A kind of burglar alarm signal generating circuit and burglar alarm |
| US9892293B1 (en) * | 2016-12-16 | 2018-02-13 | Square, Inc. | Tamper detection system |
| WO2018111601A1 (en) * | 2016-12-16 | 2018-06-21 | Square, Inc. | Tamper detection system |
| CN109782154A (en) * | 2019-02-27 | 2019-05-21 | 大唐微电子技术有限公司 | A kind of tamper detection protection circuit, implementation method and tamper chip |
| CN208947271U (en) * | 2018-09-29 | 2019-06-07 | 汉威科技集团股份有限公司 | A kind of Anti-dismantling alarm device of electric vehicle anti-theft terminal |
| CN110310108A (en) * | 2019-06-06 | 2019-10-08 | 武汉卓目科技有限公司 | A kind of band tears the self-destructed New Hardware wallet of machine open |
| CN111796545A (en) * | 2020-07-20 | 2020-10-20 | 艾体威尔电子技术(北京)有限公司 | Anti-shock false-triggering safety mechanism system |
| CN212391527U (en) * | 2020-03-03 | 2021-01-22 | 百富计算机技术(深圳)有限公司 | Anti-dismantling device |
| CN112272083A (en) * | 2020-10-22 | 2021-01-26 | 北京智慧云测信息技术有限公司 | Internet of things terminal safety protection device and method |
-
2021
- 2021-02-01 CN CN202110133560.4A patent/CN112861124A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101261663A (en) * | 2007-03-06 | 2008-09-10 | 国际商业机器公司 | Method and system for protection of secure electronic modules against attacks |
| CN103902934A (en) * | 2012-12-26 | 2014-07-02 | 研祥智能科技股份有限公司 | Computer case disassembling prevention detecting method and device |
| CN104268466A (en) * | 2014-09-15 | 2015-01-07 | 福建联迪商用设备有限公司 | Anti-invasion electronic device and anti-invasion method thereof |
| CN104408386A (en) * | 2014-11-25 | 2015-03-11 | 深圳长城开发科技股份有限公司 | Anti-dismounting protective device |
| WO2018111601A1 (en) * | 2016-12-16 | 2018-06-21 | Square, Inc. | Tamper detection system |
| US9892293B1 (en) * | 2016-12-16 | 2018-02-13 | Square, Inc. | Tamper detection system |
| CN206619241U (en) * | 2017-03-13 | 2017-11-07 | 深圳怡化电脑股份有限公司 | A kind of burglar alarm signal generating circuit and burglar alarm |
| CN208947271U (en) * | 2018-09-29 | 2019-06-07 | 汉威科技集团股份有限公司 | A kind of Anti-dismantling alarm device of electric vehicle anti-theft terminal |
| CN109782154A (en) * | 2019-02-27 | 2019-05-21 | 大唐微电子技术有限公司 | A kind of tamper detection protection circuit, implementation method and tamper chip |
| CN110310108A (en) * | 2019-06-06 | 2019-10-08 | 武汉卓目科技有限公司 | A kind of band tears the self-destructed New Hardware wallet of machine open |
| CN212391527U (en) * | 2020-03-03 | 2021-01-22 | 百富计算机技术(深圳)有限公司 | Anti-dismantling device |
| CN111796545A (en) * | 2020-07-20 | 2020-10-20 | 艾体威尔电子技术(北京)有限公司 | Anti-shock false-triggering safety mechanism system |
| CN112272083A (en) * | 2020-10-22 | 2021-01-26 | 北京智慧云测信息技术有限公司 | Internet of things terminal safety protection device and method |
Non-Patent Citations (1)
| Title |
|---|
| 傅国强等: "一种智能步兵雷的防拆装置", 《成组技术与生产现代化》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174080A (en) * | 2022-09-07 | 2022-10-11 | 北京安盟信息技术股份有限公司 | Key protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2979425B1 (en) | Method and apparatus for detecting a multi-stage event | |
| US11893112B2 (en) | Quantitative digital sensor | |
| CN107888554B (en) | Method and device for detecting server attack | |
| US9836600B2 (en) | Method and apparatus for detecting a multi-stage event | |
| CN111670366B (en) | Voltage attack detection circuit and chip | |
| CN109936475B (en) | Anomaly detection method and device | |
| Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN107426136B (en) | Network attack identification method and device | |
| CN111586028B (en) | Abnormal login evaluation method and device, server and storage medium | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN114866296B (en) | Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium | |
| CN116707965A (en) | Threat detection method and device, storage medium and electronic equipment | |
| CN112861124A (en) | Terminal anti-intrusion detection method and device | |
| CN111104670B (en) | APT attack identification and protection method | |
| US20230385411A1 (en) | Systems and methods for side-channel monitoring of a processor on a communication network | |
| EP3627465B1 (en) | Method and system for break-in detection | |
| CN109218461B (en) | Method and device for detecting tunnel domain name | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| KR101576993B1 (en) | Method and System for preventing Login ID theft using captcha | |
| CN113779564A (en) | Security event prediction method and device | |
| CN112491621A (en) | Network security evaluation method and system | |
| CN111147497B (en) | Intrusion detection method, device and equipment based on knowledge inequality | |
| CN116319021B (en) | Lateral movement detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |