CN113676490A - Mute terminal safety detection method, device, equipment and readable storage medium - Google Patents
Mute terminal safety detection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113676490A CN113676490A CN202111075398.1A CN202111075398A CN113676490A CN 113676490 A CN113676490 A CN 113676490A CN 202111075398 A CN202111075398 A CN 202111075398A CN 113676490 A CN113676490 A CN 113676490A
- Authority
- CN
- China
- Prior art keywords
- terminal
- identification information
- destination
- traffic data
- dumb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 238000004590 computer program Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 11
- 238000007689 inspection Methods 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 22
- 230000002159 abnormal effect Effects 0.000 abstract description 11
- 230000000694 effects Effects 0.000 abstract description 2
- 238000012369 In process control Methods 0.000 description 27
- 210000004544 dc2 Anatomy 0.000 description 27
- 238000004190 ion pair chromatography Methods 0.000 description 27
- 230000006399 behavior Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 3
- 241001178520 Stomatepia mongo Species 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 2
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The application discloses a security detection method, device and equipment for a dumb terminal and a readable storage medium. The method disclosed by the application comprises the following steps: acquiring network flow data; determining a source end and a destination end of network traffic data; and if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal, alarming. It can be seen that, in the present application, based on the network traffic data, after determining the source end and the destination end of the network traffic data, if the source end is a dumb terminal and the destination end prohibits access by the dumb terminal, it indicates that the network traffic data is abnormal access data, that is: the dummy terminal accesses the destination terminal which is forbidden to access, so that the alarm is given to sense the illegal behavior of the dummy terminal in the network, and the safety of each device in the network can be ensured. Correspondingly, the mute terminal safety detection device, the mute terminal safety detection equipment and the readable storage medium have the technical effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for security detection of a dumb terminal.
Background
At present, a dumb terminal is used as an end device in a network, and the access behavior of the dumb terminal is easily ignored. However, the dummy terminals may have abnormal access behaviors, so how to perform security detection of the access behaviors for the dummy terminals is a problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a method, an apparatus, a device and a readable storage medium for security detection of a dumb terminal, so as to perform security detection of an access behavior for the dumb terminal. The specific scheme is as follows:
in a first aspect, the present application provides a security detection method for a dumb terminal, including:
acquiring network flow data;
determining a source end and a destination end of the network traffic data;
and if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal, alarming.
Preferably, the acquiring network traffic data includes:
and acquiring network flow data in a preset time period.
Preferably, the alarming includes:
acquiring terminal information of the dumb terminal, generating an alarm event based on the terminal information, and recording an alarm timestamp;
and storing the alarm event and the alarm timestamp into a database.
Preferably, the method further comprises the following steps:
acquiring source identification information of the source end from the network traffic data;
comparing the source identification information with preset dummy terminal identification information;
and if the source identification information is the same as any dummy terminal identification information, determining that the source end is a dummy terminal.
Preferably, the method further comprises the following steps:
acquiring destination identification information of the destination from the network traffic data;
comparing the target identification information with each preset forbidden end identification information; the forbidden end identification information is as follows: the identification information of each end which is forbidden to be accessed by the dumb terminal;
and if the destination identification information is the same as the identification information of any forbidden terminal, determining that the destination terminal forbids the access of the dumb terminal.
Preferably, the forbidden end identification information includes: and presetting each dummy terminal identification information and/or a data access port of at least one protocol.
Preferably, before determining the source end and the destination end of the network traffic data, the method further includes:
filtering the network traffic data by using a white list to filter target traffic data corresponding to the white list from the network traffic data; and the white list records identification information of each terminal which allows the dumb terminal to access.
Preferably, the method further comprises the following steps:
and if the source end is a dummy terminal, the destination end does not prohibit the access of the dummy terminal and the destination end is not recorded in the white list, recording the network traffic data.
In a second aspect, the present application provides a dumb terminal safety detection device, including:
the acquisition module is used for acquiring network flow data;
the determining module is used for determining a source end and a destination end of the network flow data;
and the detection module is used for giving an alarm if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the mute terminal safety detection method disclosed in the foregoing.
In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the dummy terminal security detection method disclosed in the foregoing.
According to the scheme, the application provides a dumb terminal safety detection method, which comprises the following steps: acquiring network flow data; determining a source end and a destination end of the network traffic data; and if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal, alarming.
It can be seen that, in the present application, based on the network traffic data, after determining the source end and the destination end of the network traffic data, if the source end is a dumb terminal and the destination end prohibits access by the dumb terminal, it indicates that the network traffic data is abnormal access data, that is: the dummy terminal accesses the destination terminal which is forbidden to access, so that the alarm is given to sense the violation of the dummy terminal in the network and give an alarm prompt in time, thereby ensuring the safety of each device in the network.
Correspondingly, the mute terminal safety detection device, the mute terminal safety detection equipment and the readable storage medium have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a security detection method for a dumb terminal disclosed in the present application;
FIG. 2 is a flow chart of detecting network traffic data as disclosed herein;
fig. 3 is a schematic diagram of a dumb terminal safety detection device disclosed in the present application;
FIG. 4 is a schematic diagram of an electronic device disclosed herein;
fig. 5 is a schematic view of another electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, a dumb terminal is used as an end device in a network, and the access behavior of the dumb terminal is easily ignored. Therefore, the application provides a security detection scheme for the dumb terminal, which can be used for carrying out security detection on access behaviors aiming at the dumb terminal.
Referring to fig. 1, an embodiment of the present application discloses a security detection method for a dumb terminal, including:
and S101, acquiring network flow data.
In an embodiment, the network traffic data is traffic data flowing through a dumb terminal in the network, and may specifically be: access data generated by dumb terminals in the network.
A dumb terminal denotes a computer terminal with limited functionality compared to other kinds of relatively "smart" computer terminals. For example: the dumb terminal may be a web cam (IP Camera) or the like. The webcam is a new generation of cameras generated by combining traditional cameras with network technology. Besides the image capturing function of the common traditional camera, a digital compression controller and a WEB-based operating system are also arranged in the camera, so that video data are compressed and encrypted and then are transmitted to a terminal user through a local area network, the Internet or a wireless network.
S102, determining a source end and a destination end of the network traffic data.
The source end and the destination end of the network traffic data can be determined based on a source address/source port and a destination address/destination port carried in the network traffic data. Therefore, the manner of determining the source end and the destination end of the network traffic data may be: extracting a source address/source port and a destination address/destination port from the network traffic data; and the source and destination can be determined based on the source/source port and the destination/destination port. In general, the source address and the destination address may be IP addresses; the source port and the destination port are distinguished by specific port numbers.
And S103, if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal, alarming.
It should be noted that the dumb terminal is used as an end device in the network, and generally only needs to upload the running state information of the dumb terminal and the collected specific data to the device connected to the dumb terminal, and does not need to access other devices of the same type or a database, so that once the dumb terminal is found to access other devices of the same type or access the database, it is indicated that the dumb terminal has an abnormal access behavior.
In order to facilitate detection of abnormal access behavior of the dumb terminal, information such as an IP address, a MAC address, and a port number of each terminal to which access by the dumb terminal is prohibited may be collected in advance. In step S103, once the source end is determined to be a dummy terminal, it may be determined whether the destination end of the network traffic data prohibits access of the dummy terminal according to the pre-collected related information, and if so, it indicates that the network traffic data is abnormal access data, that is: the dumb terminal accesses the destination terminal which is forbidden to access, and therefore alarms. And the information such as the IP address, the MAC address, the port number and the like of each end which is forbidden to be accessed by the dumb terminal can be recorded into a blacklist so as to detect the destination end of the network traffic data by using the blacklist.
It can be seen that, in this embodiment, based on the network traffic data, after determining the source end and the destination end of the network traffic data, if the source end is a dummy terminal and the destination end prohibits access of the dummy terminal, it indicates that the network traffic data is abnormal access data, that is: the dummy terminal accesses the destination terminal which is forbidden to access, so that the alarm is given to sense the violation of the dummy terminal in the network and give an alarm prompt in time, thereby ensuring the safety of each device in the network.
Based on the above embodiments, it should be noted that, in order to avoid processing too much network traffic data at a time, which results in a long processing time, the network traffic data may be acquired at different time intervals. Thus, in one embodiment, obtaining network traffic data comprises: and acquiring network flow data in a preset time period. For example: and acquiring network traffic data generated in the last hour every hour.
Based on the above embodiments, it should be noted that the manner of the alarm may be various. For example: and carrying the detailed information of the related dumb terminal to return an alarm prompt message to the front end, or sending an alarm mail to a specified mailbox. Thus in one embodiment, the alerting comprises: acquiring terminal information of a dumb terminal, generating an alarm event based on the terminal information, and recording an alarm timestamp; the alarm event and alarm timestamp are stored in a database for later review by a technician.
The detailed information of the dumb terminal is the same as the terminal information of the dumb terminal, and may include a device type, an IP address, an installation location, manufacturer information, and the like of the dumb terminal.
Based on the foregoing embodiment, it should be noted that a specific manner for detecting whether a source end of network traffic data is a dummy terminal is as follows: obtaining source identification information (such as a source IP address) of a source end from network traffic data; comparing the source identification information with preset dummy terminal identification information (such as IP addresses of the dummy terminals); and if the source identification information is the same as any dummy terminal identification information, determining that the source end is a dummy terminal.
Based on the foregoing embodiments, it should be noted that a specific way of detecting whether the destination of the network traffic data prohibits the access of the dumb terminal is as follows: acquiring destination identification information (such as a destination IP address or a destination port number) of a destination end from network traffic data; comparing the target identification information with each preset forbidden end identification information; the forbidden end identification information is: identification information (such as IP address or port number) of each terminal which is forbidden to be accessed by the dumb terminal; and if the destination identification information is the same as the identification information of any forbidden terminal, determining that the destination terminal forbids the access of the dumb terminal.
In one embodiment, the forbidden end identifier information includes: and presetting each dummy terminal identification information and/or a data access port of at least one protocol. Data access ports of at least one protocol such as: the port numbers are protocol ports such as 80, 443, 21, 23, 137, 138, 139, 445, 3389, 27017, 3306, 22, 1433, 5000, 9200, 9300, 6379, 1521, 11211, 9092, 1527, and the like.
Based on the foregoing embodiments, it should be noted that before determining the source end and the destination end of the network traffic data, the network traffic data may be filtered to remove normal traffic and repeated traffic therein. Therefore, in a specific embodiment, before determining the source end and the destination end of the network traffic data, the method further includes: filtering the network traffic data by using a white list to filter target traffic data corresponding to the white list from the network traffic data; the white list records identification information (such as an IP address or a port number) of each terminal that the dumb terminal is allowed to access.
Based on the foregoing embodiment, it should be noted that if the source end is a dummy terminal, the destination end does not prohibit access by the dummy terminal, and the destination end is not recorded in the white list, it indicates that the destination end of the piece of network traffic data does not belong to the object to which access is prohibited or the object to which access is allowed, and at this time, the piece of network traffic data is recorded, so that a technician further analyzes whether the access behavior of the piece of network traffic data is abnormal.
The following describes a network traffic data analysis scheme provided in the present application to help understand the present application. The scheme is described by taking an IPC (IPC) dummy terminal as an example.
In this scheme, a black list, a white list, and a gray list are set. The black list records the IP addresses of all IPCs in the network and ports of various protocols which are forbidden to be accessed by the dumb terminal. The white list records the ports of the various protocols that the dumb terminal is allowed to access. The grey list records ports of other protocols that are not in the black list and white list. Wherein, the black list does not record the IP address of the Network Video Recorder (NVR), that is: no access analysis is performed for this type of dumb terminal. Various addresses and ports in the black list and the white list can be deleted or added according to actual application scenes.
Among them, the ports of various protocols that forbid the access of the dumb terminal are as follows: 80. 443, 21, 23, 137, 138, 139, 445, 3389, 27017, 3306, 22, 1433, 5000, 9200, 9300, 6379, 1521, 11211, 9092, 1527, 5432 and the like.
Wherein 80 is a port number of http, 443 is a port number of https, 21 is a port number of ftp, 23 is a port number of telnet, 137/138/139 is a port number of netbios, 445 is a port number of smb, 3389 is a port number of RDP desktop remote, 27017 is a port number of Mongo, 3306 is a port number of MYSQL, 22 is a port number of SSH, 1433 is a port number of SQLServer, 5000 is a port number of DB2, 9200, 9300 is a port number of ES, 6379 is a port number of Redis, 1521 is a port number of Oracle, 11211 is a port number of Memcached, 9092 is a port number of PointBase, 7 is a port number of Perby, and 5432 is a port number of PgSQL.
Among them, the ports of various protocols that allow the access of the dumb terminal are: 123. 53. When the IPC of a certain traffic is the source address, the source port is 80, 554, 443, 8000, 37777, 37778, 5060, 51, and the destination port is 123, 53, the traffic is considered to be normal.
Specifically, the acquisition of the network traffic data may be set every half hour or every hour. After the network traffic data is acquired, each piece of data in the network traffic data is divided into 1000 groups, and each data group is processed.
For any group of 1000 data, screening all data with a source IP address being IPC, and deleting the data by using a white list to obtain to-be-processed data with the source IP address being IPC and a destination port not being in the white list; and further detecting the destination addresses of the data to be processed by using the blacklist, and if the destination address of any piece of data is in the blacklist, acquiring the detailed information of the IPC corresponding to the source IP address of the piece of data, and alarming the IPC. And for the data to be processed with the destination address not in the blacklist, recording the destination addresses of the data into a grey list, and recording the detailed information and the traffic data of the related IPC. For subsequent further analysis.
Referring to fig. 2, the process of detecting network traffic data by using the IP addresses of all IPCs in the black list includes:
(1) obtaining IP addresses of all IPCs in the network to obtain an IP list of the IPCs: ipc _ ip _ list. The ipc _ ip _ list can be specifically recorded as: ['190.0.3.221','188.22.5.33'].
(2) Network traffic is obtained over a period of time.
(3) And assembling a filtering condition based on the IP addresses of all IPCs in the blacklist, and filtering the network traffic to obtain all traffic of which the destination address is the IP address of the IPC.
(4) And judging whether the source IP address and the destination IP address of the filtered network flow are in the IP list at the same time.
(5) If the source IP address and the destination IP address of the network flow are in the IP list at the same time, obtaining the detailed information of the related IPC from the mongodb database. And if the source IP address and the destination IP address of the network flow are not in the IP list at the same time, acquiring the next network flow for detection.
(6) And assembling and warehousing the security event based on the acquired detailed information of the IPC.
In fig. 2, start _ time is initialized to a time half an hour before end _ time, which is a time 10 minutes before the current time. The next detection assigns end _ time to start _ time.
The various interfaces involved in fig. 2 are shown in table 1:
TABLE 1
| Interface name | Description of the function |
| get_ipc_ip | Obtaining IP of all cameras |
| find_access_es | find _ sec _ event, acquiring network traffic |
| get_common_filter | Assembling filter condition statements for querying ES database |
| find_ipc_message | Obtaining detailed information of abnormal IPC |
| _insert_event | Inserting security events |
| connect_mongodb | Linking mongodb databases |
| find_terminal_camera | Inquiring mongo and acquiring camera information |
Correspondingly, the flow and the related interfaces for detecting the network traffic data by using the ports of various protocols which are prohibited from being accessed by the dumb terminal in the blacklist are similar to those in fig. 2, and only the filtering condition in the step (3) and the judging condition in the step (4) need to be adjusted, which is not described in detail herein.
When detecting network traffic data by using ports of various protocols which prohibit access of the dumb terminal in the blacklist, the filtering condition in the step (3) is as follows: and filtering the network traffic based on port assembly filtering conditions of various protocols which prohibit the access of the dumb terminal in the blacklist to obtain all the traffic of which the destination address is various prohibited access ports. (4) The judgment conditions in (1) are as follows: and judging whether the source IP address of the filtered network flow is in an IP list or not, if the source IP address is in the IP list and the destination address is various access-forbidden ports, the related IPC of the flow has abnormal access behavior.
Therefore, the blacklist provided by the embodiment can detect the illegal action of accessing IPC by IPC and the illegal action of accessing the illegal protocol by IPC. If traffic occurs where both the source and destination addresses are IPC addresses, a security event is recorded. If the source address is an IPC address and the destination port is various protocol ports which forbid IPC access, the IPC is judged to access the illegal protocol, and therefore alarm information is generated.
According to the embodiment, the IPC violation can be analyzed by auditing the network flow generated by the equipment in the network, then the alarm information is generated, and from the perspective of a user, the client is helped to perceive the IPC violation in the network, so that the safety of the equipment in the network is ensured.
The security detection device for the dumb terminal provided by the embodiment of the present application is introduced below, and the security detection device for the dumb terminal described below and the security detection method for the dumb terminal described above may refer to each other.
Referring to fig. 3, an embodiment of the present application discloses a dumb terminal safety detection device, including:
an obtaining module 301, configured to obtain network traffic data;
a determining module 302, configured to determine a source end and a destination end of network traffic data;
and the detection module 303 is configured to alarm if the source end is a dummy terminal and the destination end prohibits access of the dummy terminal.
In a specific embodiment, the obtaining module is specifically configured to:
and acquiring network flow data in a preset time period.
In a specific embodiment, the detection module is specifically configured to:
acquiring terminal information of a dumb terminal, generating an alarm event based on the terminal information, and recording an alarm timestamp;
the alarm event and the alarm timestamp are stored in a database.
In a specific embodiment, the detection module is specifically configured to:
acquiring source identification information of a source end from network flow data;
comparing the source identification information with preset dummy terminal identification information;
and if the source identification information is the same as any dummy terminal identification information, determining that the source end is a dummy terminal.
In a specific embodiment, the detection module is specifically configured to:
acquiring destination identification information of a destination end from network traffic data;
comparing the target identification information with each preset forbidden end identification information; the forbidden end identification information is: the identification information of each end which is forbidden to be accessed by the dumb terminal;
and if the destination identification information is the same as the identification information of any forbidden terminal, determining that the destination terminal forbids the access of the dumb terminal.
In one embodiment, the forbidden end identifier information includes: and presetting each dummy terminal identification information and/or a data access port of at least one protocol.
In a specific embodiment, the method further comprises the following steps:
the filtering module is used for filtering the network traffic data by utilizing the white list so as to filter target traffic data corresponding to the white list from the network traffic data; the white list records identification information of each terminal which is allowed to be accessed by the dumb terminal.
In a specific embodiment, the method further comprises the following steps:
and the recording module is used for recording the network traffic data if the source end is a dummy terminal, the destination end does not prohibit the access of the dummy terminal and the destination end is not recorded in the white list.
For more specific working processes of each module and unit in this embodiment, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
As can be seen, this embodiment provides a security detection device for a dumb terminal, where the device uses network traffic data as a basis, and after determining a source end and a destination end of the network traffic data, if the source end is a dumb terminal and the destination end prohibits access by the dumb terminal, it indicates that the network traffic data is abnormal access data, that is: the dummy terminal accesses the destination terminal which is forbidden to access, so that the alarm is given to sense the violation of the dummy terminal in the network and give an alarm prompt in time, thereby ensuring the safety of each device in the network.
In the following, an electronic device provided by an embodiment of the present application is introduced, and the electronic device described below and the method and the apparatus for detecting the security of the dumb terminal described above may refer to each other.
Referring to fig. 4, an embodiment of the present application discloses an electronic device, including:
a memory 401 for storing a computer program;
a processor 402 for executing said computer program for implementing the method disclosed in any of the embodiments described above.
Referring to fig. 5, fig. 5 is a schematic diagram of another electronic device provided in this embodiment, which may have a larger difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
In fig. 5, the application 342 may be a program that performs the dummy terminal security detection method, and the data 344 may be data required for or generated from the dummy terminal security detection method.
The steps in the above-described dumb terminal security detection method may be implemented by the structure of an electronic device.
In the following, a readable storage medium provided by an embodiment of the present application is introduced, and a readable storage medium described below and a method, an apparatus, and a device for detecting the security of a dumb terminal described above may be referred to each other.
A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the dumb terminal security detection method disclosed in the foregoing embodiments. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
References in this application to "first," "second," "third," "fourth," etc., if any, are intended to distinguish between similar elements and not necessarily to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, or apparatus.
It should be noted that the descriptions in this application referring to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A security detection method for a dumb terminal is characterized by comprising the following steps:
acquiring network flow data;
determining a source end and a destination end of the network traffic data;
and if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal, alarming.
2. The dumb terminal security detection method according to claim 1, wherein said obtaining network traffic data includes:
and acquiring network flow data in a preset time period.
3. The dumb terminal security detection method according to claim 1, wherein said alerting comprises:
acquiring terminal information of the dumb terminal, generating an alarm event based on the terminal information, and recording an alarm timestamp;
and storing the alarm event and the alarm timestamp into a database.
4. The dumb terminal security detection method of claim 1, further comprising:
acquiring source identification information of the source end from the network traffic data;
comparing the source identification information with preset dummy terminal identification information;
and if the source identification information is the same as any dummy terminal identification information, determining that the source end is a dummy terminal.
5. The dumb terminal security detection method of claim 1, further comprising:
acquiring destination identification information of the destination from the network traffic data;
comparing the target identification information with each preset forbidden end identification information; the forbidden end identification information is as follows: the identification information of each end which is forbidden to be accessed by the dumb terminal;
and if the destination identification information is the same as the identification information of any forbidden terminal, determining that the destination terminal forbids the access of the dumb terminal.
6. The dumb terminal security detection method of claim 5, wherein the forbidden end identification information includes: and presetting each dummy terminal identification information and/or a data access port of at least one protocol.
7. The dummy terminal security detection method according to any one of claims 1 to 6, wherein before determining the source end and the destination end of the network traffic data, further comprising:
filtering the network traffic data by using a white list to filter target traffic data corresponding to the white list from the network traffic data; and the white list records identification information of each terminal which allows the dumb terminal to access.
8. The utility model provides a mute terminal safety inspection device which characterized in that includes:
the acquisition module is used for acquiring network flow data;
the determining module is used for determining a source end and a destination end of the network flow data;
and the detection module is used for giving an alarm if the source end is a dumb terminal and the destination end prohibits the access of the dumb terminal.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the dumb terminal security detection method of any one of claims 1 to 7.
10. A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the dumb terminal security detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111075398.1A CN113676490A (en) | 2021-09-14 | 2021-09-14 | Mute terminal safety detection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111075398.1A CN113676490A (en) | 2021-09-14 | 2021-09-14 | Mute terminal safety detection method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113676490A true CN113676490A (en) | 2021-11-19 |
Family
ID=78549370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111075398.1A Pending CN113676490A (en) | 2021-09-14 | 2021-09-14 | Mute terminal safety detection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113676490A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114466249A (en) * | 2022-04-13 | 2022-05-10 | 荣耀终端有限公司 | Data request processing method, device and storage medium |
| CN114598511A (en) * | 2022-02-24 | 2022-06-07 | 广东电网有限责任公司 | Real-time monitoring system for network-related network |
| CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020133586A1 (en) * | 2001-01-16 | 2002-09-19 | Carter Shanklin | Method and device for monitoring data traffic and preventing unauthorized access to a network |
| US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
| US20180359269A1 (en) * | 2017-06-09 | 2018-12-13 | Verizon Patent And Licensing Inc. | Systems and methods for policing and protecting networks from attacks |
| US20190297108A1 (en) * | 2018-03-23 | 2019-09-26 | Cisco Technology, Inc. | Network security indicator of compromise based on human control classifications |
| CN111343194A (en) * | 2020-03-09 | 2020-06-26 | 深信服科技股份有限公司 | Camera violation identification method, system and equipment and computer storage medium |
-
2021
- 2021-09-14 CN CN202111075398.1A patent/CN113676490A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020133586A1 (en) * | 2001-01-16 | 2002-09-19 | Carter Shanklin | Method and device for monitoring data traffic and preventing unauthorized access to a network |
| US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
| US20180359269A1 (en) * | 2017-06-09 | 2018-12-13 | Verizon Patent And Licensing Inc. | Systems and methods for policing and protecting networks from attacks |
| US20190297108A1 (en) * | 2018-03-23 | 2019-09-26 | Cisco Technology, Inc. | Network security indicator of compromise based on human control classifications |
| CN111343194A (en) * | 2020-03-09 | 2020-06-26 | 深信服科技股份有限公司 | Camera violation identification method, system and equipment and computer storage medium |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598511A (en) * | 2022-02-24 | 2022-06-07 | 广东电网有限责任公司 | Real-time monitoring system for network-related network |
| CN114598511B (en) * | 2022-02-24 | 2024-01-19 | 广东电网有限责任公司 | Real-time monitoring system of network involved |
| CN114466249A (en) * | 2022-04-13 | 2022-05-10 | 荣耀终端有限公司 | Data request processing method, device and storage medium |
| CN114466249B (en) * | 2022-04-13 | 2022-09-20 | 荣耀终端有限公司 | Data request processing method, device and storage medium |
| CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
| CN116915503B (en) * | 2023-09-08 | 2023-11-14 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113676490A (en) | Mute terminal safety detection method, device, equipment and readable storage medium | |
| EP3410336B1 (en) | Forensic analysis | |
| CN111132120B (en) | Method, system and equipment for identifying camera device in room local area network | |
| EP3595297B1 (en) | Abnormality detection method and network video recorder (nvr) | |
| CN109428857B (en) | Detection method and device for malicious detection behaviors | |
| CN113472772A (en) | Network attack detection method and device, electronic equipment and storage medium | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
| CN107465652B (en) | Operation behavior detection method, server and system | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| KR20160087187A (en) | Cyber blackbox system and method thereof | |
| CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN116841645A (en) | Database flow processing method and system for database audit | |
| CN112769635A (en) | Service identification method and device for multi-granularity feature analysis | |
| CN115567258B (en) | Network security situation awareness method, system, electronic equipment and storage medium | |
| CN113098727A (en) | Data packet detection processing method and device | |
| CN114338214B (en) | Risk control method and system | |
| CN113596050B (en) | Abnormal flow separation and filtration method, system, storage medium and electronic equipment | |
| CN110071936B (en) | System and method for identifying proxy IP | |
| CN110661799B (en) | ARP (Address resolution protocol) deception behavior detection method and system | |
| CN113347136B (en) | Access authentication method, device, equipment and storage medium | |
| CN111859363B (en) | Method and device for identifying unauthorized access of application and electronic equipment | |
| CN112541183B (en) | Data processing method and device, edge computing equipment and storage medium | |
| CN112702234A (en) | Identification method and device for multi-network connection equipment | |
| CN117749501A (en) | Abnormality analysis method, abnormality analysis device, electronic device, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211119 |
|
| RJ01 | Rejection of invention patent application after publication |