CN114254308A - Threat detection method and device for Internet of things equipment, electronic equipment and storage medium - Google Patents

Threat detection method and device for Internet of things equipment, electronic equipment and storage medium Download PDF

Info

Publication number
CN114254308A
CN114254308A CN202111583424.1A CN202111583424A CN114254308A CN 114254308 A CN114254308 A CN 114254308A CN 202111583424 A CN202111583424 A CN 202111583424A CN 114254308 A CN114254308 A CN 114254308A
Authority
CN
China
Prior art keywords
detection
internet
feature
information
things
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111583424.1A
Other languages
Chinese (zh)
Other versions
CN114254308B (en
Inventor
刘佳男
王昆明
李柏松
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202111583424.1A priority Critical patent/CN114254308B/en
Publication of CN114254308A publication Critical patent/CN114254308A/en
Application granted granted Critical
Publication of CN114254308B publication Critical patent/CN114254308B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a threat detection method and device for Internet of things equipment, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring state characteristic information of the to-be-detected Internet of things equipment; searching in a system feature library based on the acquired state feature information, and identifying the type of an operating system of the to-be-detected Internet of things equipment; searching in a detection scheme library based on the identified operating system type to determine a detection scheme; searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data; according to the determined detection scheme and the user input instruction, comparing and analyzing the acquired state characteristic information and the baseline detection data, judging whether the abnormality occurs or not, and generating a detection result; and outputting a detection result. The method and the device can realize the safety state detection and the net-to-air threat discovery of the equipment of the Internet of things, and further provide reliable basis for subsequent deep analysis and response disposal.

Description

Threat detection method and device for Internet of things equipment, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a threat detection method and device for Internet of things equipment, electronic equipment and a storage medium.
Background
The Internet of Things (IoT) is to interconnect and intercommunicate various end devices and facilities (such as sensors, mobile terminals, industrial systems, building control systems, home intelligent facilities, video monitoring systems, and vehicles with wireless terminals) through a communication network, and provide management and service functions such as safe, controllable and personalized real-time online monitoring, location and traceability, alarm linkage, scheduling command, plan management, remote control, safety precaution, remote maintenance, online upgrade, statistical reports, decision support, and leadership desktops, so as to realize the integration of management, control, and camp on all Things. With the improvement of global informatization level, the industrial scale of the internet of things is continuously enlarged, and more fields begin to apply internet of things equipment. Meanwhile, since the last decade, global security events of the internet of things are frequent, the network space threat facing the internet of things equipment is aggravated, and more challenges are provided for the construction of the security defense capability of the internet of things.
Because the internet of things equipment is numerous and has large differences in the aspects of presentation form, technical composition and the like, safety measures aiming at the internet of things equipment and related information infrastructure, such as special safety certification, encryption and the like, are influenced by the aspects of economic cost, technical specifications and the like, and are restricted in the process of large-area popularization and application.
Disclosure of Invention
Based on the problems of high difficulty and high economic cost of safety protection of the Internet of things equipment, the invention provides a threat detection method and device of the Internet of things equipment, electronic equipment and a storage medium, so that the abnormal states of various Internet of things equipment can be efficiently detected.
In a first aspect, an embodiment of the present invention provides a threat detection method for an internet of things device, including:
acquiring state characteristic information of the to-be-detected Internet of things equipment;
searching in a system feature library based on the acquired state feature information, and identifying the type of an operating system of the to-be-detected Internet of things equipment;
searching in a detection scheme library based on the identified operating system type to determine a detection scheme;
searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data;
according to the determined detection scheme and a user input instruction, comparing and analyzing the acquired state characteristic information and baseline detection data, judging whether abnormality occurs or not, and generating a detection result;
and outputting the detection result.
Optionally, the threat detection method further includes:
and acquiring the judgment features of the operating systems of various Internet of things devices before searching in a system feature library based on the acquired state feature information, and constructing the system feature library.
Optionally, the threat detection method further includes:
before searching in a detection scheme library based on the identified operating system type, acquiring a plurality of detection schemes suitable for the operating system of the equipment of the Internet of things, classifying according to suitable conditions, and constructing a detection scheme library; wherein the applicable condition at least comprises the kind of the applicable operating system.
Optionally, the threat detection method further includes:
acquiring normal state information of key states of various Internet of things equipment before searching in a baseline detection database based on the acquired state characteristic information, and constructing a baseline detection database; the key states comprise a factory state, an initialized configuration finishing time state and a specified configuration saving time state.
Optionally, the normal state information includes one or more of device basic characteristics, operation characteristics, log characteristics, process characteristics, and network characteristics.
Optionally, the comparing and analyzing the acquired state feature information and the baseline detection data according to the determined detection scheme and the user input instruction, determining whether an abnormality occurs, and generating a detection result includes:
selecting and executing a complete matching mode or a partial matching mode according to the determined detection scheme and a user input instruction;
under a complete matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, if and only if the extracted feature comparison results of all the items are completely the same, judging that no abnormality occurs, otherwise, judging that abnormality occurs, and determining an abnormal feature item;
under a partial matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, wherein the feature items are divided into basic feature items and additional feature items, if the comparison results of the basic feature items are the same and the comparison results of the additional feature items meet a detection rule, judging that no abnormality occurs, otherwise, judging that the abnormality occurs, and determining abnormal feature items;
and generating a detection result, wherein the detection result comprises a label displaying the abnormal condition or not, and if the label is abnormal, the detection result also comprises an abnormal characteristic item.
In a second aspect, an embodiment of the present invention further provides a threat detection apparatus for an internet of things device, including:
the information extraction module is used for acquiring state characteristic information of the to-be-detected Internet of things equipment;
the system judgment module is used for searching in a system feature library based on the acquired state feature information and identifying the type of an operating system of the to-be-detected Internet of things equipment;
the data analysis module is used for searching in the detection scheme library based on the identified operating system type to determine a detection scheme;
searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data;
comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs or not, and generating a detection result;
and the result output module is used for outputting the detection result.
Optionally, the threat detection apparatus of the internet of things device is relatively independent of the internet of things device to be detected.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the threat detection method for an internet of things device according to any embodiment of this specification is implemented.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the threat detection method for an internet of things device according to any embodiment of the present specification.
The embodiment of the invention provides a threat detection method and device for Internet of things equipment, electronic equipment and a storage medium; according to the method, the state characteristic information of the equipment of the Internet of things to be detected is acquired, the normal state information of the equipment of the Internet of things to be detected is used as a baseline, a corresponding detection scheme is formulated by combining a specific operating system of the equipment of the Internet of things, the abnormality of the operating system can be quickly and effectively found, the expansibility is strong, the method is suitable for different equipment of the Internet of things, after the required state characteristic information is acquired from the equipment of the Internet of things to be detected, the software and hardware resources of the equipment of the Internet of things are not needed, and the negative influence on the equipment of the Internet of things possibly caused by network security defense operation can be reduced as much as possible.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a threat detection method for an internet of things device according to an embodiment of the present invention;
fig. 2 is a flowchart of another threat detection method for internet of things devices according to an embodiment of the present invention;
FIG. 3 is a diagram of a hardware architecture of an electronic device according to an embodiment of the present invention;
fig. 4 is a structural diagram of a threat detection apparatus of an internet of things device according to an embodiment of the present invention;
fig. 5 is a structural diagram of another threat detection apparatus for internet of things equipment according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As mentioned above, in recent years, the security incidents of the internet of things frequently occur, and more challenges are provided for the construction of the security defense capability of the internet of things. The security of the Internet of things in China is restricted by various factors such as policy layout, industrial development stage, core terminal industrial maturity and the like, and faces a plurality of threats in a network space, and the overall protection level has a larger space for improvement. Because the internet of things devices are numerous and have large differences in the aspects of presentation form, technical composition and the like, the internet of things devices are from different manufacturers, and used operating systems and specific execution standards are different, although some internet of things devices have special safety certification, lightweight encryption and decryption and other safety measures, the difficulty in the aspects of economic cost, technical specification and the like limits large-area popularization and application of the existing safety measures to a certain extent. In order to solve the problems that the safety protection difficulty of the Internet of things equipment is high, a user is relatively sensitive to the increase of the economic cost of the Internet of things equipment in the prior art, the invention provides a method for efficiently detecting the Internet of things equipment based on the Internet of things equipment baseline, so that the more universal and low-cost safety detection of the Internet of things equipment can be realized, and the relatively limited resources of the Internet of things equipment can be prevented from being directly occupied.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a threat detection method for an internet of things device, where the method includes:
step 100, acquiring state characteristic information of the to-be-detected Internet of things equipment;
102, searching in a system feature library based on the acquired state feature information, and identifying the type of an operating system of the to-be-detected Internet of things equipment;
the system feature library is stored with operating system judgment features of various Internet of things devices;
104, searching in a detection scheme library based on the identified operating system type to determine a detection scheme;
the detection scheme library stores a plurality of detection schemes, and each detection scheme comprises a detection rule, a detection step and an applicable condition;
step 106, searching in a baseline detection database based on the acquired state characteristic information, and determining baseline detection data;
the normal state information of various Internet of things equipment is stored in the baseline detection database and is used as baseline detection data;
step 108, comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs or not, and generating a detection result;
and step 110, outputting a detection result.
The embodiment of the invention provides a general threat detection method for Internet of things equipment, which is characterized in that a base line detection idea is adopted for a large number of heterogeneous Internet of things terminal equipment, and information of the Internet of things equipment in a normal state is used as a base line to carry out contrastive analysis on the current state characteristics of the Internet of things equipment, so that whether the Internet of things equipment is abnormal at present or not is determined, the applicability is wide, the safety protection cost and the resource occupation of the Internet of things equipment can be avoided being remarkably increased, the safety state detection and the net-empty threat discovery of the Internet of things equipment can be rapidly realized, and a reliable basis is provided for the subsequent deep analysis and response disposal.
In some optional embodiments, as shown in fig. 2, the threat detection method for an internet of things device provided by the present invention further includes:
and acquiring the judgment features of the operating systems of various Internet of things devices before searching in the system feature library based on the acquired state feature information, and constructing the system feature library.
In the prior art, a plurality of system feature libraries for individual terminals exist, but a plurality of system feature libraries for internet of things devices exist, and if the prior art is difficult to support the detection of operating systems of various internet of things devices, system feature libraries for operating systems of different internet of things devices can be constructed as required, so that the operating systems of the internet of things devices to be detected can be matched and identified.
Optionally, as shown in fig. 2, the threat detection method for the internet of things device provided by the present invention further includes:
based on the identified operating system type, acquiring a plurality of detection schemes suitable for the operating system of the Internet of things equipment before searching in a detection scheme library, classifying according to suitable conditions, and constructing the detection scheme library; wherein the applicable condition at least comprises the kind of the applicable operating system.
In order to facilitate expansion, a detection scheme library supporting various Internet of things devices can be constructed according to needs, and by updating the detection scheme library, the method and the device can be suitable for different Internet of things devices and can carry out detection in a more effective mode. In the constructed detection scheme library, the detection scheme can not only use analysis algorithms such as characteristic statistical learning, dynamic behavior baseline, time sequence pre-and-post analysis and the like covered by User and Entity Behavior Analysis (UEBA) technology for reference, but also assist in modes such as online analysis, analysis modeling, offline analysis and the like, and can also adopt machine learning algorithms such as isolated forest, K-means clustering, time sequence analysis, variable point detection and the like to keep continuous optimization of a detection method and rules.
Further, the detection scheme library for the common operating system of the internet of things equipment includes but is not limited to: unix system detection scheme, Linux system detection scheme, ios (cisco) system detection scheme, FreeRTOS system detection scheme, vxworks (wind River system) system detection scheme, mbed OS (ARM) system detection scheme, Android Things system detection scheme, Fuchsia OS (google) system detection scheme, Windows 10 IoT Core (microsoft) system detection scheme, Tizen (samsung) system detection scheme, AliOS-Things (ali) system detection scheme, Lite OS (huaji) system detection scheme, oasis OS (nova hua) system detection scheme, UHomeOS (hel) system detection scheme, HelloX system detection scheme, SylixOS (winged information) system detection scheme, μ T/OS (large concatenated dragon software) system detection scheme, Elastos (also clouds) system detection scheme, TreeOS (photo wheel electronics) system detection scheme, RT-runner (morale) system detection scheme, tre-treui system detection scheme, etc. system detection scheme, A Ruff (shanghai south tide) system detection scheme, a MICO (shanghai celebration) system detection scheme, a Zephyr system detection scheme, a μ CLinux (microsoft) system detection scheme, a QNX (blackberry) system detection scheme, a TRON system detection scheme, a μ COS-II/μ COS-III system detection scheme, an Ubuntu Core 16(Canonical) system detection scheme, a nucleous OS (Mentor) system detection scheme, an Ostro system detection scheme, a TinyOS system detection scheme, an ecos (gnu) system detection scheme, a Contiki system detection scheme, and the like.
The specific detection mode and detection rule used by the detection method provided by the invention have flexible adaptability, and the constructed detection scheme is oriented to the current common Internet of things equipment and an operation system thereof and is centrally managed in a detection scheme library form. By utilizing the detection scheme to build the library, the invention can support the safety detection of the current common Internet of things equipment, basically covers the types of the operation systems of the current common Internet of things equipment, and has higher universality and coverage.
Optionally, as shown in fig. 2, the threat detection method for the internet of things device provided by the present invention further includes:
based on the acquired state characteristic information, acquiring normal state information of key states of various Internet of things equipment before searching in a baseline detection database, and constructing the baseline detection database; the key states comprise a factory state, an initialized configuration finishing time state and a specified configuration saving time state.
In the implementation mode, the collected original baseline data (namely, the normal state information of the key states of multiple pieces of internet-of-things equipment) has the generalities and relativity, covers the factory state information of the internet-of-things equipment, the initialized configuration completion time state information of the internet-of-things equipment and the specified configuration storage time state information of the internet-of-things equipment, so as to cover multiple important time nodes of the internet-of-things equipment in factory, user initialized configuration completion, specified configuration storage and the like, performs centralized management in the form of a baseline detection database, can establish a general baseline at the operating system level and continuously update (for example, acquire a new specified configuration storage time state), and enables the baseline detection database to have dynamic adaptability so as to keep the accuracy of comparative analysis. Further, in step 106, the obtained status characteristic information is searched in a baseline detection database, and preferably, the current closest normal status information on the time node is used as baseline detection data, so as to find the abnormality of the current to-be-detected internet of things device in time.
Alternatively, for step 100, the obtained status characteristic information may correspond to normal status information stored in the baseline detection database. Further, the health status information includes one or more of device base characteristics, run characteristics, Log (Log) characteristics, process characteristics, and network characteristics.
Further, the data items of the basic features of the device may include: the method comprises the following steps of terminal host names, operating system types, network card names, IP addresses (IPv4 and IPv6 addresses), MAC addresses, network utilization rates, CPU utilization rates, memory utilization rates, hard disk spaces and utilization rates thereof, logged-in user names and the like.
The data items of the operational characteristics may include:
1) file handle information, data items include: handle, file path, drive, etc.;
2) dynamic Link Library (DLL) information, data items including: name, file path, file size, modification time, description, etc.;
3) a loaded driver, the data items comprising: drive name, display name, boot type, state, modification time, file size, image path, publisher, etc.;
4) a system self-starting item, the data item comprising: file, publisher, description, registry key, modification time, file size, image path, state, etc.;
5) planning a task, the data items including: task name, state, description, task type, modification time, file size, mapping path \ CLSID, task parameters, task path, etc.;
6) system services, data items include: service name, display name, boot type, PID, description, state, group, modification time, file size, image path, publisher, service parameters, etc.;
7) service Provider Interface (SPI) information, the data items including: name, publisher, description, GUID, modification time, file size, image path, etc.;
8) system registry and its change information, the data item includes: name, type, key value, etc.;
9) kernel module information, data items include: file name, base address, image size, identification, ordinal number, file size, image path, modification time, publisher, etc.;
10) system Services Descriptor Table (SSDT) and Shadow System Services Descriptor Table (Shadow SSDT) information, the data items including: ordinal number, function, current base address, original address, mapping path, SSDT hook, Inline hook, etc.;
11) a message hook, the data item comprising: handle, type, address, module path, mapping path, process ID, global hook or not, etc.;
12) the system comprises a program hook and a kernel hook, wherein the program hook and the kernel hook are mainly registered for the system;
13) the directory object mainly aims at all system kernel directory objects, and the data items comprise: name, type, directory, etc.;
14) master Boot Record (MBR) information, the data items including: the area and content obtained by the kernel API, the area and content obtained by the SCSI command, and the like;
15) DPC timer information, the data items including: timer objects, trigger period (milliseconds), entries, modules, modification time, file size, publisher, description, etc.;
16) the user and the account number change information thereof, and the data items comprise: user name, description, authority, last login time, total login times, whether a password is empty or not, password use duration, whether the password is never expired or not, status (forbidden, enabled, etc.), and the like;
17) command line history, data items include PowerShell, CMD, etc.
The log features may include:
1) an operating system log, the data items comprising: level, date and time, source, event ID, task category, detailed information, etc.;
2) application logs, data items including: level, date and time, source, event ID, task category, detailed information, etc.;
3) a system security log, the data items comprising: level, date and time, source, event ID, task category, detailed information, etc.;
4) the system file installs the log, the data entry includes: level, date and time, source, event ID, task category, detailed information, etc., mainly for system patches, language packs, etc.;
5) and the file operation log comprises operation logs of file access, modification, deletion, copying and the like in the equipment.
The process features may include:
1) process information, data items include: the method comprises the steps of acquiring data aiming at process information, wherein the data acquisition comprises a running process and a process without a file on a disk, and comprises the process of acquiring the process information and the process without the file on the disk, wherein the process comprises the process name, the process file name, the file MD5, the process ID, the parent process ID, an issuer, description, file size, an image path, a process state, start time, modification time, end time, EPROCES, PEB, a base address, CPU utilization rate, memory utilization rate, process Owner information (user name, terminal information, login time and expiration time), a command line (command word for starting the process), a terminal type and the like;
2) module information used by the process, the data items including: module name (including path) loaded in the process and its file MD5, file size, last modification time of module file, module operation time, etc.;
3) the data item includes sub-process information contained in the process: the process ID of the sub-process, the process name of the sub-process, the ID of the parent process, the user name of the sub-process, the file name (including a path) corresponding to the sub-process, a command word of the sub-process, the starting time of the sub-process, the ending time of the sub-process and the like;
4) thread information, data items include: thread ID, priority, base address, module path, eththread, TEB, number of hangs, number of switches, etc.
The network characteristics may include:
1) the system shares information, and the data items include: shared name, shared type, current connection number, shared path, etc.;
2) an open port, the data items comprising: port number, transport protocol, port description, etc.;
3) ARP table information, data items include: interface, IP address (Internet address), MAC address (physical address), type (static, dynamic), etc.;
4) routing table information, data items include: interface list, IPv4 routing table (active/permanent route: network target, network mask, gateway, interface, hop count), IPv6 routing table (active/permanent route: interface, hop count, network target, gateway), etc.;
5) current inbound and outbound network connection information, the data items comprising: connection time, process ID, process name, file name corresponding to the process, MD5 of the file corresponding to the process, protocol, local IP address, local port, remote IP address, remote port, number of bytes sent/received, network connection protocol (TCP, UDP, HTTP, HTTPs), etc.;
6) network connection history, data items being the same as current inbound and outbound network connection information;
7) hosts information, data items include: IP address, domain name;
8) DNS access data, including details of DNS query requests and responses.
In some embodiments, the plurality of data items may be selected to form a feature vector representing normal state information in the baseline detection database, and accordingly, when the state feature information is obtained in step 100, full-scale (i.e., all data items related to the feature vector) or on-demand (i.e., part of data items related to the feature vector) extraction may be performed, and preferably, full-scale extraction is performed by default, so as to facilitate subsequent comprehensive comparison and analysis; if it is clear that some data item/items are sufficient for detection purposes, it is also possible to extract on demand (not in full). It should be noted that the above data items are not all characteristic items that can be used to characterize the state, and other data items may be added according to actual needs if necessary.
In some alternative embodiments, step 108 further comprises:
selecting and executing a complete matching mode or a partial matching mode according to the determined detection scheme and a user input instruction;
under a complete matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, if and only if the extracted feature comparison results of all the items are completely the same, judging that no abnormality occurs, otherwise, judging that abnormality occurs, and determining an abnormal feature item;
under a partial matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, wherein all the feature items are divided into basic feature items and additional feature items, if the comparison results of the basic feature items are the same and the comparison results of the additional feature items meet a detection rule, judging that no abnormality occurs, otherwise, judging that the abnormality occurs, and determining abnormal feature items;
and generating a detection result, wherein the detection result comprises a label displaying the abnormal condition or not, and if the label is abnormal, the detection result also comprises an abnormal characteristic item.
In the above embodiment, step 108 may perform comparative analysis according to different working modes, where the complete matching mode is a strict mode, and information extracted by the to-be-detected internet of things device must be strictly consistent with and completely identical to the established safety baseline information; while the partial match pattern is a relaxed pattern: according to the detection scheme and the regular expression set in the rule, a certain difference is allowed to exist in the non-key part or partial information data is allowed to float within a legal/rational interval range, but other parts (namely basic characteristic items) are required to be consistent with the baseline detection information. For example, in a certain set of detection scheme and its rules, for a UDP-Lite lightweight user packet protocol of an IoT communication protocol cluster transport layer, the protocol uses a UDP protocol Length field to indicate its Checksum Coverage, whether or not to check the load of the protocol packet or how many bits to check are controlled by a user, and when the value range of the Checksum Coverage is:
1) when the Checksum Coverage is 0, the validity indicates that the entire UDP-Lite data packet is verified.
2) When the Checksum Coverage is not less than 8 and not more than the length of the whole UDP-Lite data packet (including a UDP header and a load), legality indicates that the first Checksum Coverage byte of the UDP-Lite packet is verified.
3) If the Checksum Coverage is other value, it is illegal.
Therefore, the detection of the information related to the Checksum Coverage value is adapted to the loose mode.
For step 110, the output detection result is preferably given to the output in a normalized common format (e.g., JSON, etc.), and the content may cover the status information data item name and its difference point/value that are different from the baseline (including different/missing/extra items, different or not in a legal/legal interval, etc.), for example:
example 1:
Figure BDA0003427022980000111
Figure BDA0003427022980000121
the detection result data adopts a standardized general data format, and can support other Internet of things security defense measures to use the detection result data as input data to carry out further linkage analysis and response.
In a preferred embodiment, as shown in fig. 2, a threat detection method for an internet of things device provided by the present invention includes:
200, acquiring operating system judgment features of various Internet of things devices, and constructing a system feature library;
step 202, acquiring various detection schemes suitable for an operating system of the Internet of things equipment, classifying according to suitable conditions, and constructing a detection scheme library;
wherein, the applicable condition at least comprises the applicable operating system type;
step 204, acquiring normal state information of key states of various Internet of things devices, and constructing a baseline detection database;
the key states comprise a factory state, an initialized configuration completion time state and a specified configuration saving time state;
step 206, acquiring state characteristic information of the to-be-detected Internet of things equipment;
step 208, searching in a system feature library based on the acquired state feature information, and identifying the type of the operating system of the to-be-detected Internet of things equipment;
step 210, searching in a detection scheme library based on the identified operating system type, and determining a detection scheme;
step 212, based on the acquired state feature information, searching in a baseline detection database to determine baseline detection data;
step 214, comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs, and generating a detection result;
and step 216, outputting the detection result.
In a specific embodiment, the invention also aims at the experimental case that Marast high-grade researcher Martin Hron invades and infects Smarter iKettle third-generation intelligent coffee machine of 9 month 2020 safety company, original baseline information collection is carried out by carrying out factory state information, initialized configuration completion time state information and appointed configuration storage time state information (for example, configuration state information before deciding to put the intelligent coffee machine in public for providing service, after legal update and installation are obtained from an official party and after night overhaul every day and the like) of the intelligent coffee machine, and the initial baseline information is stored in a baseline detection database; the method comprises the steps of extracting state characteristic information of the coffee machine to be detected in a full amount regularly/irregularly/according to needs, identifying an operating system of the coffee machine, selecting a corresponding detection scheme and baseline detection data, then carrying out comparison analysis in a strict mode, effectively detecting that firmware and scripts of the coffee machine are inconsistent with legal file data which is issued by an official and depended on in normal operation and have serious suspicion of malicious tampering, and giving an alarm prompt in a detection result so as to carry out further analysis and response later, namely the method disclosed by the invention can realize network-air threat detection on the intelligent coffee machine.
As shown in fig. 3 and 4, an embodiment of the present invention further provides a threat detection apparatus (threat detection apparatus for short) for an internet of things device. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 3, for a hardware architecture diagram of an electronic device where a threat detection apparatus of an internet of things device according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the electronic device where the apparatus is located in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a message, and the like. Taking a software implementation as an example, as shown in fig. 4, as a logical device, a CPU of the electronic device reads a corresponding computer program in the non-volatile memory into the memory for running. The threat detection apparatus for internet of things equipment provided by this embodiment includes an information extraction module 400, a system determination module 401, a data analysis module 402, and a result output module 403; specifically, wherein:
the information extraction module 400 is configured to obtain status feature information of the to-be-detected internet of things device;
the system determination module 401 is configured to search in a system feature library based on the acquired state feature information, and identify an operating system type of the to-be-detected internet-of-things device;
the data analysis module 402 is configured to search in a detection scheme library based on the identified operating system type to determine a detection scheme; the detection scheme library stores a plurality of detection schemes, and each detection scheme comprises a detection rule, a detection step and an applicable condition;
searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data; the normal state information of various Internet of things equipment is stored in the baseline detection database and is used as baseline detection data;
comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs or not, and generating a detection result;
the result output module 403 is used for outputting the detection result.
In the embodiment of the present invention, the information extraction module 400 may be configured to perform step 100 in the above-described method embodiment, the system determination module 401 may be configured to perform step 102 in the above-described method embodiment, the data analysis module 402 may be configured to perform steps 104 to 108 in the above-described method embodiment, and the result output module 403 may be configured to perform step 110 in the above-described method embodiment. The modules are mutually cooperated according to the method flow, are mutually independent and have loose coupling, and the integral change caused by upgrading and updating of a certain module or a plurality of modules is avoided.
Optionally, the threat detection apparatus for the internet of things device provided by the invention is relatively independent from the internet of things device to be detected. The device is independent of the to-be-detected Internet of things equipment, supports integrated deployment, does not occupy Internet of things equipment software and hardware resources as much as possible except for acquiring state characteristic information of the to-be-detected Internet of things equipment, can avoid the safety protection cost of the Internet of things equipment from being greatly increased, supports regular/on-demand application, is not limited by a long-term fixed access mode, and has deployment flexibility and mobile portability.
Optionally, in the threat detection apparatus for internet of things devices provided by the present invention, the system determination module 401 is further configured to obtain determination features of operating systems of multiple types of internet of things devices, and construct a system feature library, so as to implement matching and identification of operating systems of internet of things devices.
Optionally, as shown in fig. 5, the threat detection apparatus for internet of things devices provided by the present invention further includes a scheme generation module 404, where the scheme generation module 404 is configured to obtain multiple detection schemes suitable for an operating system of the internet of things devices, classify the detection schemes according to suitable conditions, and construct a detection scheme library; wherein the applicable condition at least comprises the kind of the applicable operating system. The detection scheme library can be updated according to needs, and is high in expansibility and timeliness.
Optionally, the threat detection apparatus for internet of things devices provided by the present invention further includes a baseline collection module 405, where the baseline collection module 405 is configured to obtain normal state information of key states of multiple internet of things devices, and construct a baseline detection database; the key states comprise a factory state, an initialized configuration finishing time state and a specified configuration saving time state. The baseline detection database can be updated as required, and is high in expansibility and timeliness.
Optionally, the data analysis module 402 in the threat detection apparatus for internet of things devices provided by the present invention is configured to compare and analyze the acquired state feature information with the baseline detection data according to the determined detection scheme and the user input instruction, determine whether an abnormality occurs, and generate a detection result, where the data analysis module includes:
selecting and executing a complete matching mode or a partial matching mode according to the determined detection scheme and a user input instruction;
under a complete matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, if and only if the extracted feature comparison results of all the items are completely the same, judging that no abnormality occurs, otherwise, judging that abnormality occurs, and determining an abnormal feature item;
under a partial matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, wherein all the feature items are divided into basic feature items and additional feature items, if the comparison results of the basic feature items are the same and the comparison results of the additional feature items meet a detection rule, judging that no abnormality occurs, otherwise, judging that the abnormality occurs, and determining abnormal feature items;
and generating a detection result, wherein the detection result comprises a label displaying the abnormal condition or not, and if the label is abnormal, the detection result also comprises an abnormal characteristic item. When the method is applied, a complete matching mode or a partial matching mode can be selected according to needs.
It is to be understood that the illustrated structure of the embodiment of the present invention does not form a specific limitation to a threat detection apparatus for an internet of things device. In other embodiments of the invention, a threat detection apparatus for an internet of things device may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides electronic equipment which comprises a memory and a processor, wherein the memory stores a computer program, and when the processor executes the computer program, the threat detection method of the equipment of the internet of things in any embodiment of the invention is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the processor is enabled to execute a threat detection method for an internet of things device in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. the threat detection method (or device, electronic equipment and computer readable storage medium) of the Internet of things equipment obtains the state characteristic information of the Internet of things equipment to be detected, selects a detection scheme aiming at an operating system of the Internet of things equipment, combines the normal state information of the Internet of things equipment, adopts a baseline detection idea for detection, does not occupy software and hardware resources of the Internet of things equipment except necessary state information collection of the Internet of things equipment, can finish the core processes of threat detection and analysis outside the Internet of things equipment, has short processing time, low CPU (Central processing Unit) and storage occupancy rate of the Internet of things equipment and low economic cost, can support the safety detection of the current common Internet of things equipment, basically covers the type of the current common Internet of things equipment operating system, has higher universality and coverage degree, and is expected to generate considerable income in practical application scenes (particularly in a large number of equipment node clusters or large-scale networking scenes) .
2. The threat detection method of the Internet of things equipment, provided by the invention, can be used for constructing the detection scheme library and the baseline detection database as required and continuously updating, has strong expansibility, supports regular/on-demand detection, realizes the safety state detection and the network-air threat discovery of the Internet of things equipment, and further provides a reliable basis for subsequent deep analysis and response treatment.
3. The detection result data output by the threat detection method of the Internet of things equipment provided by the invention is output by adopting a standardized general format, and other Internet of things security defense measures are favorably used as input data to carry out further linkage analysis and response.
4. The device, the electronic equipment and the computer readable storage medium provided by the invention can be independent of the to-be-detected Internet of things equipment, support integrated deployment to avoid the phenomenon that the safety protection cost of the Internet of things equipment is greatly increased, support regular/on-demand application, are not limited by a long-term fixed access mode, and have deployment flexibility and mobile portability.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A threat detection method for Internet of things equipment is characterized by comprising the following steps:
acquiring state characteristic information of the to-be-detected Internet of things equipment;
searching in a system feature library based on the acquired state feature information, and identifying the type of an operating system of the to-be-detected Internet of things equipment;
searching in a detection scheme library based on the identified operating system type to determine a detection scheme;
searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data;
according to the determined detection scheme and a user input instruction, comparing and analyzing the acquired state characteristic information and baseline detection data, judging whether abnormality occurs or not, and generating a detection result;
and outputting the detection result.
2. The method of claim 1, further comprising:
and acquiring the judgment features of the operating systems of various Internet of things devices before searching in a system feature library based on the acquired state feature information, and constructing the system feature library.
3. The method of claim 1, further comprising:
before searching in a detection scheme library based on the identified operating system type, acquiring a plurality of detection schemes suitable for the operating system of the equipment of the Internet of things, classifying according to suitable conditions, and constructing a detection scheme library; wherein the applicable condition at least comprises the kind of the applicable operating system.
4. The method of claim 1, further comprising:
acquiring normal state information of key states of various Internet of things equipment before searching in a baseline detection database based on the acquired state characteristic information, and constructing a baseline detection database; the key states comprise a factory state, an initialized configuration finishing time state and a specified configuration saving time state.
5. The method of claim 4,
the normal state information includes one or more of device basic characteristics, operation characteristics, log characteristics, process characteristics, and network characteristics.
6. The method of claim 1,
the step of comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs, and generating a detection result includes:
selecting and executing a complete matching mode or a partial matching mode according to the determined detection scheme and a user input instruction;
under a complete matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, if and only if the extracted feature comparison results of all the items are completely the same, judging that no abnormality occurs, otherwise, judging that abnormality occurs, and determining an abnormal feature item;
under a partial matching mode, extracting and comparing feature items from the acquired state feature information and baseline detection data according to a determined detection scheme, wherein the feature items are divided into basic feature items and additional feature items, if the comparison results of the basic feature items are the same and the comparison results of the additional feature items meet a detection rule, judging that no abnormality occurs, otherwise, judging that the abnormality occurs, and determining abnormal feature items;
and generating a detection result, wherein the detection result comprises a label displaying the abnormal condition or not, and if the label is abnormal, the detection result also comprises an abnormal characteristic item.
7. A threat detection apparatus for Internet of things equipment, comprising:
the information extraction module is used for acquiring state characteristic information of the to-be-detected Internet of things equipment;
the system judgment module is used for searching in a system feature library based on the acquired state feature information and identifying the type of an operating system of the to-be-detected Internet of things equipment;
the data analysis module is used for searching in the detection scheme library based on the identified operating system type to determine a detection scheme;
searching in a baseline detection database based on the acquired state characteristic information to determine baseline detection data;
comparing and analyzing the acquired state characteristic information and the baseline detection data according to the determined detection scheme and the user input instruction, judging whether the abnormality occurs or not, and generating a detection result;
and the result output module is used for outputting the detection result.
8. The apparatus of claim 7,
the threat detection device of the Internet of things equipment is relatively independent of the Internet of things equipment to be detected.
9. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the method according to any of claims 1-6.
10. A storage medium having stored thereon a computer program, characterized in that the computer program, when executed in a computer, causes the computer to perform the method of any of claims 1-6.
CN202111583424.1A 2021-12-22 2021-12-22 Threat detection method and device for Internet of things equipment, electronic equipment and storage medium Active CN114254308B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111583424.1A CN114254308B (en) 2021-12-22 2021-12-22 Threat detection method and device for Internet of things equipment, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111583424.1A CN114254308B (en) 2021-12-22 2021-12-22 Threat detection method and device for Internet of things equipment, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114254308A true CN114254308A (en) 2022-03-29
CN114254308B CN114254308B (en) 2024-08-13

Family

ID=80794405

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111583424.1A Active CN114254308B (en) 2021-12-22 2021-12-22 Threat detection method and device for Internet of things equipment, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114254308B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108200106A (en) * 2018-04-02 2018-06-22 浙江九州量子信息技术股份有限公司 A kind of Internet of Things safety detection means of defence
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 For to the abnormal system and method for being detected and scoring
CN110381090A (en) * 2019-08-23 2019-10-25 新华三信息安全技术有限公司 Terminal abnormal detection method, device, detection device and machine readable storage medium
US20200162503A1 (en) * 2018-11-19 2020-05-21 Cisco Technology, Inc. Systems and methods for remediating internet of things devices
CN112636985A (en) * 2020-12-30 2021-04-09 国网青海省电力公司信息通信公司 Network asset detection device based on automatic discovery algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 For to the abnormal system and method for being detected and scoring
CN108200106A (en) * 2018-04-02 2018-06-22 浙江九州量子信息技术股份有限公司 A kind of Internet of Things safety detection means of defence
US20200162503A1 (en) * 2018-11-19 2020-05-21 Cisco Technology, Inc. Systems and methods for remediating internet of things devices
CN110381090A (en) * 2019-08-23 2019-10-25 新华三信息安全技术有限公司 Terminal abnormal detection method, device, detection device and machine readable storage medium
CN112636985A (en) * 2020-12-30 2021-04-09 国网青海省电力公司信息通信公司 Network asset detection device based on automatic discovery algorithm

Also Published As

Publication number Publication date
CN114254308B (en) 2024-08-13

Similar Documents

Publication Publication Date Title
US8973133B1 (en) Systems and methods for detecting abnormal behavior of networked devices
EP3878191B1 (en) Subnet-based device allocation with geofenced attestation
US8910129B1 (en) Scalable control system for test execution and monitoring utilizing multiple processors
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
KR102095334B1 (en) Log information generating device and recording medium and log information extraction device and recording medium
CN111835794A (en) Firewall policy control method and device, electronic equipment and storage medium
US9021005B2 (en) System and method to provide remote device management for mobile virtualized platforms
CN103946834A (en) Virtual network interface objects
US11250147B2 (en) Hybrid approach to data governance
CN114238961A (en) Threat detection method and device for cloud host, electronic equipment and storage medium
CN104937897B (en) The system and method analyzed for the redundant safety eliminated to network packet
US20210099424A1 (en) An industrial control system firewall module
CN104243214A (en) Data processing method, device and system
CN113542292A (en) Intranet safety protection method and system based on DNS and IP credit data
US9832209B1 (en) Systems and methods for managing network security
WO2021135257A1 (en) Vulnerability processing method and related device
KR102686255B1 (en) Methods, devices and storage media for organizing resources
US20110219103A1 (en) Quarantine tool
CN114254308A (en) Threat detection method and device for Internet of things equipment, electronic equipment and storage medium
US11283881B1 (en) Management and protection of internet of things devices
KR20230156262A (en) System and method for machine learning based malware detection
CN104104666A (en) Method of detecting abnormal cloud service and device
WO2014209889A1 (en) System and method for antivirus protection
CN111654398B (en) Configuration updating method and device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant