CN114499949B - Device binding method and device, electronic device and computer readable medium - Google Patents

Device binding method and device, electronic device and computer readable medium Download PDF

Info

Publication number
CN114499949B
CN114499949B CN202111587948.8A CN202111587948A CN114499949B CN 114499949 B CN114499949 B CN 114499949B CN 202111587948 A CN202111587948 A CN 202111587948A CN 114499949 B CN114499949 B CN 114499949B
Authority
CN
China
Prior art keywords
communication
target
equipment
information
generate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111587948.8A
Other languages
Chinese (zh)
Other versions
CN114499949A (en
Inventor
陈光宇
李永贵
杜江涛
薛亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huanyu Boya Technology Co ltd
Original Assignee
Beijing Huanyu Boya Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huanyu Boya Technology Co ltd filed Critical Beijing Huanyu Boya Technology Co ltd
Priority to CN202111587948.8A priority Critical patent/CN114499949B/en
Publication of CN114499949A publication Critical patent/CN114499949A/en
Application granted granted Critical
Publication of CN114499949B publication Critical patent/CN114499949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The embodiment of the disclosure discloses a device binding method, a device binding apparatus, an electronic device and a computer readable medium. One embodiment of the method comprises: identifying whether a device to be connected is in communication connection with a target interface; in response to the fact that the device to be connected is in communication connection with the target interface, determining a communication protocol included in a data message sent by the device to be connected so as to generate communication protocol information; binding a target communication protocol and a target communication address to a target interface, wherein the target communication protocol is a communication protocol corresponding to communication protocol information, and the target communication address is a communication address corresponding to equipment to be connected; and responding to the successful binding, and communicating with the device to be connected through the target interface. This embodiment ensures the security of the local area network.

Description

Device binding method and device, electronic device and computer readable medium
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a device binding method, a device, an electronic device and a computer readable medium.
Background
In a local area network for industrial equipment control in the oil exploitation industry, a large amount of data from industrial equipment of each base station flows. Meanwhile, the local area network internal link is complex and includes numerous edge nodes. Therefore, any link and any edge node inside the lan may become an entry that is compromised by virus intrusion, data theft, etc. to the stability and security of the lan. The switch is used as a terminal for collecting data in the network, and is often a device which is very easy to invade inside the local area network. At present, in terms of switch protection, the method generally adopted is as follows: the switch is protected by a physical mode, such as adopting a lock case.
However, when the above-described manner is adopted, there are often technical problems as follows:
firstly, because the oil exploitation area is often located in an area with rare people, when a mechanical device (such as a locked chassis) for protecting the switch is damaged, the mechanical device cannot be found in time, and therefore the safety of the local area network is reduced;
secondly, the switch often reserves a certain number of reserved interfaces in the using process, and the reserved interfaces can directly invade the interior of the local area network, so that the safety of the local area network is reduced.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Some embodiments of the present disclosure propose a device binding method, apparatus, electronic device and computer readable medium to solve one or more of the technical problems mentioned in the background section above.
In a first aspect, some embodiments of the present disclosure provide a device binding method, including: identifying whether a device to be connected is in communication connection with a target interface; in response to the existence of the communication connection between the equipment to be connected and the target interface, determining a communication protocol included in a data message sent by the equipment to be connected so as to generate communication protocol information; binding a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication type information, and the target communication address is a communication address corresponding to the device to be connected; and responding to the successful binding, and communicating with the equipment to be connected through the target interface.
Optionally, the method further includes: determining whether the communication with the equipment to be connected is normal or not so as to generate communication state information; and refusing to communicate with other equipment except the equipment to be connected through the target interface in response to the fact that the communication state information represents that the communication with the equipment to be connected is interrupted.
Optionally, the method further includes: performing anomaly detection on the data message sent by the equipment to be connected to generate anomaly detection information; responding to the data message sent by the equipment to be connected and represented by the abnormal detection information to generate alarm information; and sending the alarm information to a target terminal for display.
Optionally, the determining a communication protocol included in the data packet sent by the device to be connected to generate communication protocol information includes: and determining a communication protocol included in the data message sent by the equipment to be connected according to the protocol identifier carried by the data message sent by the equipment to be connected so as to generate communication protocol information.
Optionally, the binding the target communication protocol and the target communication address to the target interface includes: performing information association on the target communication protocol and the target interface to generate first associated information; and performing information association on the target communication address and the target interface to generate second associated information.
Optionally, the determining whether the communication with the device to be connected is normal to generate the communication state information includes: responding to the situation that the data message sent by the equipment to be connected is not received after a first target duration, and sending a first heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message; responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message; in response to that feedback information, which is returned by the device to be connected and is directed to the second heartbeat detection message, is not received after the second target time length, determining the total data amount of the data sent by the device to be connected in the target time period; and generating communication state information for representing communication abnormity of the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface.
Optionally, the performing anomaly detection on the data packet sent by the device to be connected to generate anomaly detection information includes: segmenting the target time period through a preset sliding window size and a preset step length to generate a sub-target time period sequence; determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, and obtaining a first quantity value sequence; determining a mean value sending data volume according to the first quantity value sequence; selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods; generating a first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean value sending data volume; determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison; generating a third abnormal degree value through a pre-trained abnormal detection model and a data message sent by the equipment to be connected; and generating the abnormality detection information by performing a weighted summation of the first abnormality degree value, the second abnormality degree value, and the third abnormality degree value.
In a second aspect, some embodiments of the present disclosure provide an apparatus for binding devices, the apparatus comprising: the device comprises an identification unit, a processing unit and a control unit, wherein the identification unit is configured to identify whether a device to be connected is in communication connection with a target interface; the determining unit is configured to determine a communication protocol included in a data message sent by the device to be connected in response to the existence of the communication connection between the device to be connected and the target interface so as to generate communication protocol information; a binding unit configured to bind a target communication protocol and a target communication address to the target interface, where the target communication protocol is a communication protocol corresponding to the communication protocol information, and the target communication address is a communication address corresponding to the device to be connected; and the communication unit is configured to respond to the successful binding and communicate with the equipment to be connected through the target interface.
Optionally, the apparatus further comprises: determining whether the communication with the equipment to be connected is normal or not so as to generate communication state information; and refusing to communicate with other equipment except the equipment to be connected through the target interface in response to the fact that the communication state information represents that the communication with the equipment to be connected is interrupted.
Optionally, the apparatus further comprises: carrying out anomaly detection on the data message sent by the equipment to be connected so as to generate anomaly detection information; responding to the data message sent by the equipment to be connected and represented by the abnormal detection information to generate alarm information; and sending the alarm information to a target terminal for display.
Optionally, the determining unit is further configured to: and determining a communication protocol included in the data message sent by the equipment to be connected according to the protocol identifier carried by the data message sent by the equipment to be connected so as to generate communication protocol information.
Optionally, the binding unit is further configured to: performing information association on the target communication protocol and the target interface to generate first associated information; and performing information association on the target communication address and the target interface to generate second associated information.
Optionally, the apparatus is further configured to: responding to the data message sent by the equipment to be connected which is not received after the first target duration, and sending a first heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message; responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message; in response to that feedback information, which is returned by the device to be connected and is directed to the second heartbeat detection message, is not received after the second target time length, determining the total data amount of the data sent by the device to be connected in the target time period; and generating communication state information for representing communication abnormity of the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface.
Optionally, the apparatus is further configured to: segmenting the target time period through a preset sliding window size and a preset step length to generate a sub-target time period sequence; determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, and obtaining a first quantity value sequence; determining a mean value sending data volume according to the first quantity value sequence; selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods; generating a first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean value sending data quantity; determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison; generating a third abnormal degree value through a pre-trained abnormal detection model and a data message sent by the equipment to be connected; and generating the abnormality detection information by performing a weighted summation of the first abnormality degree value, the second abnormality degree value, and the third abnormality degree value.
In a third aspect, some embodiments of the present disclosure provide an electronic device, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement the method described in any of the implementations of the first aspect.
In a fourth aspect, some embodiments of the present disclosure provide a computer readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements the method described in any of the implementations of the first aspect.
The above embodiments of the present disclosure have the following advantages: the security of the local area network is improved by the device binding method of some embodiments of the present disclosure. Specifically, the reason why the security of the lan is low is that: first, because the oil production area is often located in an area where there is little smoke, when a device (e.g., a lock chassis) protecting the switch is damaged, it is often not discovered in time, thereby reducing the security of the local area network. Secondly, the switch often reserves a certain number of reserved interfaces in the using process, and the reserved interfaces can directly invade the interior of the local area network, so that the safety of the local area network is reduced. Based on this, the device binding method of some embodiments of the present disclosure first identifies whether there is a device to be connected in communication connection with the target interface. In practical situations, because the switch often reserves a certain number of reserved interfaces in the using process, the reserved interfaces can directly invade the inside of the local area network, and therefore, whether the interface connection between the equipment and the switch exists or not can be determined through identification. And then, in response to the existence of the communication connection between the equipment to be connected and the target interface, determining a communication protocol included in the data message sent by the equipment to be connected so as to generate communication protocol information. Information exchange, as a main function of the switch, often requires forwarding data sent by devices connected through an interface. Therefore, it is necessary to determine the communication protocol included in the data packet sent by the device to be connected. And then, binding a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication protocol information, and the target communication address is a communication address corresponding to the device to be connected. The communication protocol and the communication address are both bound with the target interface, so that the target interface can only receive the data message which is sent by the communication address and meets the communication protocol. And the condition that other equipment cannot provide the target interface to transmit data to the switch is ensured. And finally, responding to the successful binding, and communicating with the equipment to be connected through the target interface. And when the binding is successful, starting data transmission. In this way, even if the mechanical means for protecting the switch are destroyed, it is not possible to intrude and destroy the local area network through the switch. Furthermore, binding with communication protocol and communication address through the interface makes other devices unable to invade the local area network through the bound interface. Meanwhile, the unbound interfaces cannot transmit data. By the method, the condition that the interface on the switch can not invade the interior of the local area network is ensured. Thereby ensuring the security of the local area network.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale.
FIG. 1 is a schematic diagram of one application scenario of a device binding method of some embodiments of the present disclosure;
fig. 2 is a flow diagram of some embodiments of a device binding method according to the present disclosure;
FIG. 3 is a flow diagram of further embodiments of a device binding method according to the present disclosure;
FIG. 4 is a schematic block diagram of some embodiments of a device binding apparatus according to the present disclosure;
FIG. 5 is a schematic structural diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 is a schematic diagram of one application scenario of a device binding method of some embodiments of the present disclosure.
In the application scenario of fig. 1, first, the computing device 101 may identify whether there is a communication connection between the device to be connected 102 and the target interface 103; secondly, in response to the existence of the communication connection between the device to be connected 102 and the target interface 103, the computing device 101 may determine a communication protocol included in the data packet sent by the device to be connected 102, so as to generate communication protocol information 104; next, the computing device 101 may bind a target communication protocol 105 and a target communication address 106 to the target interface 103, where the target communication protocol 105 is a communication protocol corresponding to the communication protocol information 104, and the target communication address 106 is a communication address corresponding to the device to be connected 102; finally, the computing device 101 may communicate with the to-be-connected device 102 through the target interface 103 in response to a successful binding.
The computing device 101 may be hardware or software. When the computing device is hardware, it may be implemented as a distributed cluster consisting of a plurality of servers or terminal devices, or may be implemented as a single server or a single terminal device (e.g., a switch). When the computing device is embodied as software, it may be installed in the hardware devices enumerated above. It may be implemented, for example, as multiple software or software modules to provide distributed services, or as a single software or software module. And is not particularly limited herein.
It should be understood that the number of computing devices in FIG. 1 is merely illustrative. There may be any number of computing devices, as implementation needs dictate.
With continued reference to fig. 2, a flow 200 of some embodiments of a device binding method according to the present disclosure is shown. The equipment binding method comprises the following steps:
step 201, identifying whether a device to be connected is in communication connection with a target interface.
In some embodiments, an executing agent of the device binding method (e.g., the computing device 101 shown in fig. 1) may identify whether there is a communication connection between the device to be connected and the target interface. The device to be connected may be a device to be communicated with the execution main body (e.g., a switch) through the target interface. The target interface may be a hardware interface (e.g., a switch interface) on the execution body.
As an example, the executing entity may determine whether the to-be-connected device is communicatively connected to the target interface by determining whether the to-be-connected device transmits data to the executing entity through the target interface.
As another example, the executing body may determine whether the to-be-connected device is communicatively connected to the target interface by determining whether a voltage on the target interface changes.
Step 202, in response to the existence of the communication connection between the device to be connected and the target interface, determining a communication protocol included in the data packet sent by the device to be connected, so as to generate communication protocol information.
In some embodiments, the executing body may determine, in response to that there is a communication connection between the device to be connected and the target interface, a communication protocol included in a data packet sent by the device to be connected, so as to generate the communication protocol information. The data packet sent by the device to be connected may be a data packet sent by the device to be connected and communicated with the execution main body. The data packet sent by the device to be connected may also be a data packet sent by the device to be connected and forwarded by the execution main body. The communication protocol information may represent a transmission protocol type to which the data packet sent by the device to be connected conforms. For example, the communication Protocol information may be an "ICMP (Internet Control Message Protocol) type". For another example, the communication Protocol information may be an "IGMP (Internet Group Management Protocol) type". The execution main body may determine, according to the packet type of the data packet sent by the device to be connected, a communication protocol included in the data packet sent by the device to be connected, so as to generate the communication protocol information.
Step 203, binding the target communication protocol and the target communication address to the target interface.
In some embodiments, the executing entity may bind the target communication protocol and the target communication address to the target interface. The target communication protocol may be a communication protocol corresponding to the communication protocol information. The target communication address is a communication address corresponding to the device to be connected. The target communication address may be a communication address used for identifying the device to be connected, so that the device to be connected performs information transmission in a local area network. For example, the target communication address may be an IP (Internet Protocol) address. For another example, the target Address may also be a MAC (Media Access Control Address) Address.
As an example, the executing entity may store the target communication protocol, the target communication address, and the interface number of the target interface as a database record in a database, so as to bind the target communication protocol and the target communication address to the target interface.
And step 204, responding to the successful binding, and communicating with the device to be connected through the target interface.
In some embodiments, the execution body may communicate with the device to be connected through the target interface in response to the binding being successful.
As an example, the executing agent may communicate with the device to be connected through the target interface in response to determining that a database record is stored in the database. For example, the data packet sent by the device to be connected is received through the target interface, and the received data packet is forwarded.
The above embodiments of the present disclosure have the following advantages: the security of the local area network is improved by the device binding method of some embodiments of the present disclosure. Specifically, the reason why the security of the lan is low is that: first, because the oil production area is often located in an area where there is little smoke, when a device (e.g., a lock chassis) protecting the switch is damaged, it is often not discovered in time, thereby reducing the security of the local area network. Secondly, the switch often reserves a certain number of reserved interfaces in the using process, and the reserved interfaces can directly invade the interior of the local area network, so that the safety of the local area network is reduced. Based on this, the device binding method of some embodiments of the present disclosure first identifies whether there is a device to be connected in communication connection with the target interface. In practical situations, because the switch often reserves a certain number of reserved interfaces in the using process, the reserved interfaces can directly invade the inside of the local area network, and therefore, whether the interface connection between the equipment and the switch exists or not can be determined through identification. Then, in response to the existence of the communication connection between the device to be connected and the target interface, determining a communication protocol included in the data message sent by the device to be connected, so as to generate communication protocol information. Information exchange, as a main function of the switch, often requires forwarding data sent by devices connected through an interface. Therefore, it is necessary to determine the communication protocol included in the data packet sent by the device to be connected. And then, binding a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication protocol information, and the target communication address is a communication address corresponding to the device to be connected. The communication protocol and the communication address are both bound with the target interface, so that the target interface can only receive the data message which is sent by the communication address and meets the communication protocol. And the condition that other equipment cannot provide the target interface to transmit data to the switch is ensured. And finally, responding to the successful binding, and communicating with the equipment to be connected through the target interface. And when the binding is successful, starting data transmission. In this way, even if the mechanical means for protecting the switch are destroyed, it is not possible to intrude and destroy the local area network through the switch. Furthermore, binding with communication protocol and communication address through the interface makes other devices unable to invade the local area network through the bound interface. Meanwhile, the unbound interfaces cannot transmit data. By the method, the condition that the interface on the switch can not invade the interior of the local area network is ensured. Thereby ensuring the security of the local area network.
With further reference to fig. 3, a flow 300 of further embodiments of a device binding method is illustrated. The flow 300 of the device binding method includes the following steps:
step 301, identifying whether a device to be connected and a target interface are in communication connection.
In some embodiments, the specific implementation of step 301 and the technical effect brought by the implementation may refer to step 201 in those embodiments corresponding to fig. 2, and are not described herein again.
Step 302, determining a communication protocol included in the data message sent by the device to be connected according to the protocol identifier carried in the data message sent by the device to be connected, so as to generate communication protocol information.
In some embodiments, an execution subject (for example, the computing device 101 shown in fig. 1) of the device binding method may determine, according to a protocol identifier carried in a data packet sent by the device to be connected, a communication protocol included in the data packet sent by the device to be connected, so as to generate the communication protocol information. The protocol identifier may be an identifier that identifies a protocol type of a protocol to which the data packet sent by the device to be connected conforms. For example, the protocol identification may be "1". When the protocol identifier is "1", the protocol type that can characterize the protocol followed by the data packet sent by the device to be connected is an ICMP type. As another example, the protocol identification may also be "2". When the protocol identifier is "2", the protocol type that can characterize the protocol followed by the data packet sent by the device to be connected is an IGMP type.
Step 303, binding the target communication protocol and the target communication address to the target interface.
In some embodiments, the step of binding the target communication protocol and the target communication address to the target interface by the executing agent may include the steps of:
first, the target communication protocol is associated with the target interface to generate first associated information.
The first association information may represent a database record storing a protocol name of the target communication protocol and an interface number of the target interface.
And secondly, performing information association on the target communication address and the target interface to generate second associated information.
The second correlation information may represent a database record in which the target communication address and the interface number of the target interface are stored.
And step 304, responding to the successful binding, and communicating with the device to be connected through the target interface.
In some embodiments, the specific implementation of step 304 and the technical effect thereof may refer to step 204 in those embodiments corresponding to fig. 2, which are not described herein again.
Step 305, determining whether the communication with the device to be connected is normal or not to generate communication state information.
In some embodiments, the execution body may determine whether communication with the device to be connected is normal to generate the communication state information. The communication state information may be information representing whether a communication link between the device to be connected and the execution main body is clear.
As an example, the execution main body may send an ICMP message to the device to be connected, and determine whether a communication link between the device to be connected and the execution main body is clear according to the returned status code. The communication state information may be { state code: 200}. The communication state information may be a { state code: 400}. When the status code is "200", the communication link is clear. A communication link interruption may be characterized when the status code is "400".
In some optional implementation manners of some embodiments, the determining, by the execution main body, whether communication with the device to be connected is normal or not to generate the communication state information may include:
the first step, after responding to the first target duration, the data message sent by the equipment to be connected is not received, and a first heartbeat detection message is sent to the equipment to be connected.
The first target time duration may be a preset time duration. The first heartbeat detection message may be a message used to detect whether a link between the device to be connected and the execution main body is clear. The execution main body may start a timer after receiving the data packet sent by the device to be connected. And after the first target duration, the data message sent by the equipment to be connected is not received, and a first heartbeat detection message is sent to the equipment to be connected.
And secondly, generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message.
The feedback information for the first heartbeat detection message may be reply information for the first heartbeat detection message sent by the device to be connected.
And thirdly, responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected.
The second target time duration may be a preset time duration. The second heartbeat detection message may be a message used to detect whether a link between the device to be connected and the execution main body is unobstructed. The execution body may start a timer after sending the first heartbeat detection packet. And after the second target duration, the data message sent by the equipment to be connected is not received, and the second heartbeat detection message is sent to the equipment to be connected.
And fourthly, generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message.
The feedback information for the second heartbeat detection message may be reply information for the second heartbeat detection message sent by the device to be connected.
And fifthly, determining the total data amount of the data sent by the equipment to be connected in the target time period in response to the fact that feedback information aiming at the second heartbeat detection message returned by the equipment to be connected is not received after the second target time period passes.
The target time period may be a time period from the successful binding to the non-reception of the feedback information of the second heartbeat detection message. The total data amount of the data sent by the device to be connected may be the total amount of the data packets sent by the device to be connected. The total data amount of the data transmitted by the device to be connected may also be the size of the total data amount transmitted by the device to be connected.
And sixthly, generating communication state information for representing communication abnormity of the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface.
The data transmission threshold may be a minimum data receiving quantity value within the target time period corresponding to the target interface.
And step 306, in response to determining that the communication state information represents that the communication with the device to be connected is interrupted, rejecting the communication with other devices except the device to be connected through the target interface.
In some embodiments, the execution subject may reject communication with a device other than the device to be connected through the target interface in response to determining that the communication status information characterizes a communication interruption with the device to be connected. The execution main body may determine whether the communication protocol type of the data packet sent by the device other than the device to be connected and the communication address of the device other than the device to be connected are consistent with the communication protocol type and the communication address of the device to be connected by determining. When the data messages are inconsistent, the executing body may discard all the data messages sent by the device to be connected through the target interface, so as to implement rejection of communication with other devices except the device to be connected through the target interface.
Step 307, performing anomaly detection on the data message sent by the device to be connected to generate anomaly detection information.
In some embodiments, the execution main body may perform anomaly detection on the data packet sent by the device to be connected, so as to generate the anomaly detection information. The anomaly detection information may be information for representing whether the data packet sent by the device to be connected is anomalous. The execution main body can determine whether the data message sent by the device to be connected contains abnormal data or not in a characteristic comparison mode.
As an example, the executing entity may perform feature comparison between data in a data packet sent by the device to be connected and data features corresponding to computer viruses, and generate anomaly detection information representing an anomaly of the data packet sent by the device to be connected when a comparison result represents that the data packet sent by the device to be connected includes a computer virus.
In some optional implementation manners of some embodiments, the performing main body performs anomaly detection on the data packet sent by the device to be connected to generate the anomaly detection information, and may include the following steps:
firstly, the target time period is segmented according to the preset size of a sliding window and the preset step length to generate a sub-target time period sequence.
The target time period may be a time period from the successful binding to the non-reception of the feedback information of the second heartbeat detection message. The preset step length refers to a sliding step length of the preset sliding window.
And secondly, determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, so as to obtain a first quantity value sequence.
The executing body may determine a data amount of data transmitted by the device to be connected through the target interface in the target time period, so as to generate the first numerical value.
And thirdly, determining the average value sending data volume according to the first quantity value sequence.
Wherein the execution subject may determine the mean transmission amount data amount by the following formula:
Figure BDA0003428647750000141
where Ave represents the average transmission data amount. N represents the number of first quantity values in the first quantity value sequence. i represents a serial number. X represents a first quantity value in the first quantity value sequence. Xi denotes the ith first quantity value in the first quantity value sequence.
And fourthly, selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods.
The filtering condition may be that the sub-target time period is the last sub-target time period in the sequence of sub-target time periods.
And fifthly, generating a first abnormal degree value according to the first quantity value corresponding to the candidate time period and the mean value sending data quantity.
The execution subject may generate the first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean transmission data amount by using the following formula:
Figure BDA0003428647750000151
wherein F represents the first abnormality degree value. Z represents a first quantity value corresponding to the candidate time period. Ave represents the average transmission data amount.
And sixthly, determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison.
The execution main body may determine a similarity value between the data packet sent by the device to be connected and the abnormal data packet, and determine the similarity value as the second abnormal degree value. The abnormal data message can harm the data message of the local area network. For example, the abnormal data message may be a data message containing a virus.
As an example, the executing entity may determine an euclidean distance between the data packet sent by the device to be connected and the abnormal data packet as the second abnormal degree value.
As another example, the executing entity may determine a manhattan distance between the data packet sent by the device to be connected and the abnormal data packet as the second abnormal degree value.
And seventhly, generating a third abnormal degree value through a pre-trained abnormal detection model and the data message sent by the equipment to be connected.
The anomaly detection model may be a model for detecting whether the data packet is anomalous. The third anomaly degree value may represent the anomaly degree of the data packet sent by the device to be connected, which is obtained by the anomaly detection model. The above anomaly detection model may be, but is not limited to, any of the following: the Isolation Forest anomaly detection algorithm and the SVM (Support Vector Machine) algorithm.
And an eighth step of performing a weighted summation of the first abnormality degree value, the second abnormality degree value, and the third abnormality degree value to generate the abnormality detection information.
As an example, the first abnormality degree value may be 0.7. The second abnormality degree value may be 0.9. The third anomaly number may be 0.98. The obtained abnormality detection information may be 0.86. And when the abnormal degree information is larger than the target value, the data message sent by the equipment to be connected is considered to be abnormal. For example, the target value may be 0.8.
And 308, generating alarm information in response to the fact that the data message sent by the device to be connected is determined to be abnormal by the abnormal detection information.
In some embodiments, the executing body may generate alarm information in response to determining that the abnormality detection information indicates that the data packet sent by the device to be connected is abnormal. The alarm information may be information for alarm prompt. The execution main body can generate corresponding alarm information according to the abnormal type of the data message sent by the equipment to be connected.
As an example, when the data packet sent by the above-mentioned device to be connected contains a virus, the generated exception information may be "the data packet contains the virus, please note".
As another example, when the data packet sent by the above-mentioned device to be connected includes a data interception program, the generated exception prompting message may be "the data packet includes the data interception program, please note".
And 309, sending the alarm information to a target terminal for display.
In some embodiments, the execution main body may send the alarm information to the target terminal for display by a wired connection or a wireless connection. The target terminal may be a terminal for displaying alarm information. For example, the target terminal may be a "computer", and the execution main body may send the alarm information to the "computer" in a wired connection manner. For another example, the target terminal may be a "handheld terminal", and the execution main body may send the alarm information to the "handheld terminal" in a wireless connection manner.
As can be seen from fig. 3, compared with the description of some embodiments corresponding to fig. 2, in the present disclosure, firstly, a step of heartbeat detection is added, in practical cases, when a device is connected to a switch, an interface on the switch is often occupied, and when the device stops sending data to the switch, the interface on the switch is wasted. Thus, heartbeat detection is required to determine whether a device is sending data to the switch. By sending the heartbeat detection message twice, the condition of misjudgment can be avoided. In addition, when the amount of data sent by the device is less than the data transmission threshold within a time period, it may also be considered that an interface of the switch is wasted. Therefore, it is also necessary to generate communication state information that characterizes the abnormality of the device. In this way, efficient use of the interfaces of the switch can be ensured. In addition, considering that the switch is a center of data exchange of the entire lan and is very vulnerable to attack, it is necessary to perform anomaly detection on data transmitted to the switch. By dividing the time period to determine the first abnormal degree value, the occupation of the data flooding flow on the computing resources of the switch can be better avoided. And then, determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison. The abnormal data messages can be well identified, but in actual situations, the characteristic comparison mode can only be compared with the known abnormal messages, so that the detection of the unknown abnormal messages is realized by introducing an abnormal detection model, and finally, the three abnormal degree values are comprehensively considered, so that whether the data messages sent by the equipment to be connected are abnormal or not can be accurately determined, and the safety of the local area network is greatly improved.
With further reference to fig. 4, as an implementation of the methods shown in the above figures, the present disclosure provides some embodiments of a device binding apparatus, which correspond to those shown in fig. 2, and which may be applied in various electronic devices.
As shown in fig. 4, the device binding apparatus 400 of some embodiments includes: an identification unit 401, a determination unit 402, a binding unit 403 and a communication unit 404. The identification unit 401 is configured to identify whether a device to be connected is in communication connection with the target interface; a determining unit 402, configured to determine, in response to the existence of the communication connection between the device to be connected and the target interface, a communication protocol included in a data packet sent by the device to be connected, so as to generate communication protocol information; a binding unit 403, configured to bind a target communication protocol and a target communication address to the target interface, where the target communication protocol is a communication protocol corresponding to the communication type information, and the target communication address is a communication address corresponding to the device to be connected; a communication unit 404 configured to communicate with the device to be connected through the target interface in response to the binding being successful.
In some optional implementations of some embodiments, the apparatus 400 further includes: a communication normality determining unit (not shown in the figure) and a rejecting unit (not shown in the figure), wherein the communication normality determining unit is configured to determine whether communication with the to-be-connected device is normal or not so as to generate communication state information; a rejection unit configured to reject communication with a device other than the device to be connected through the target interface in response to determining that the communication status information indicates a communication interruption with the device to be connected.
In some optional implementations of some embodiments, the apparatus 400 further includes: the device comprises an abnormality detection unit (not shown in the figure), a generation unit (not shown in the figure) and a display unit (not shown in the figure), wherein the abnormality detection unit is configured to perform abnormality detection on the data message sent by the device to be connected so as to generate abnormality detection information; the generating unit is configured to respond to the fact that the abnormity detection information represents that the data message sent by the equipment to be connected is abnormal, and generate alarm information; and the display unit is configured to send the alarm information to the target terminal for display.
In some optional implementations of some embodiments, the determining unit 402 is further configured to: and determining a communication protocol included in the data message sent by the equipment to be connected according to the protocol identifier carried by the data message sent by the equipment to be connected so as to generate communication protocol information.
In some optional implementations of some embodiments, the binding unit 403 is further configured to: performing information association on the target communication protocol and the target interface to generate first associated information; and performing information association on the target communication address and the target interface to generate second associated information.
In some optional implementations of some embodiments, the communication normality determining unit is further configured to: responding to the data message sent by the equipment to be connected which is not received after the first target duration, and sending a first heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message; responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected; generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message; in response to that feedback information, which is returned by the device to be connected and is directed to the second heartbeat detection message, is not received after the second target time length, determining the total data amount of the data sent by the device to be connected in the target time period; and generating communication state information for representing communication abnormity of the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface.
In some optional implementations of some embodiments, the above-mentioned anomaly detection unit is further configured to: segmenting the target time period through a preset sliding window size and a preset step length to generate a sub-target time period sequence; determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, and obtaining a first quantity value sequence; determining a mean value sending data volume according to the first quantity value sequence; selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods; generating a first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean value sending data volume; determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison; generating a third anomaly degree value through a pre-trained anomaly detection model and a data message sent by the equipment to be connected; and generating the abnormality detection information by performing a weighted summation of the first abnormality degree value, the second abnormality degree value, and the third abnormality degree value.
It will be understood that the elements described in the apparatus 400 correspond to various steps in the method described with reference to fig. 2. Thus, the operations, features and resulting advantages described above with respect to the method are also applicable to the apparatus 400 and the units included therein, and will not be described herein again.
Referring now to FIG. 5, shown is a block diagram of an electronic device (such as computing device 101 shown in FIG. 1)500 suitable for use in implementing some embodiments of the present disclosure. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, electronic device 500 may include a processing means (e.g., central processing unit, graphics processor, etc.) 501 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage means 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the electronic apparatus 500 are also stored. The processing device 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Generally, the following devices may be connected to the I/O interface 505: input devices 506 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 507 including, for example, a Liquid Crystal Display (LCD), speakers, vibrators, and the like; storage devices 508 including, for example, magnetic tape, hard disk, etc.; and a communication device 509. The communication means 509 may allow the electronic device 500 to communicate with other devices wirelessly or by wire to exchange data. While fig. 5 illustrates an electronic device 500 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 5 may represent one device or may represent multiple devices as desired.
In particular, according to some embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In some such embodiments, the computer program may be downloaded and installed from a network via the communication means 509, or installed from the storage means 508, or installed from the ROM 502. The computer program, when executed by the processing device 501, performs the above-described functions defined in the methods of some embodiments of the present disclosure.
It should be noted that the computer readable medium described in some embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: identifying whether a device to be connected is in communication connection with a target interface; in response to the existence of the communication connection between the equipment to be connected and the target interface, determining a communication protocol included in a data message sent by the equipment to be connected so as to generate communication protocol information; binding a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication protocol information, and the target communication address is a communication address corresponding to the device to be connected; and responding to the success of binding, and communicating with the equipment to be connected through the target interface.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in some embodiments of the present disclosure may be implemented by software, and may also be implemented by hardware. The described units may also be provided in a processor, and may be described as: a processor includes an identifying unit, a determining unit, a binding unit, and a communicating unit. The names of these units do not in some cases constitute a limitation to the unit itself, and for example, the identification unit may also be described as "a unit that identifies whether or not there is a device to be connected to communicate with the target interface".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is made without departing from the inventive concept as defined above. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.

Claims (6)

1. A device binding method, comprising:
identifying whether a device to be connected is in communication connection with a target interface;
in response to the existence of the communication connection between the equipment to be connected and the target interface, determining a communication protocol included in a data message sent by the equipment to be connected so as to generate communication protocol information;
binding a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication protocol information, and the target communication address is a communication address corresponding to the device to be connected;
responding to the successful binding, and communicating with the equipment to be connected through the target interface;
determining whether communication with the equipment to be connected is normal or not so as to generate communication state information;
in response to determining that the communication status information represents that communication with the device to be connected is interrupted, denying communication with other devices except the device to be connected through the target interface;
performing anomaly detection on the data message sent by the equipment to be connected to generate anomaly detection information;
responding to the data message sent by the equipment to be connected and represented by the abnormal detection information to generate alarm information;
sending the alarm information to a target terminal for display,
wherein the determining whether the communication with the device to be connected is normal or not to generate communication state information includes:
responding to the data message sent by the equipment to be connected which is not received after the first target duration, and sending a first heartbeat detection message to the equipment to be connected;
generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message;
responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected;
generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message;
in response to that feedback information, which is returned by the equipment to be connected and aims at the second heartbeat detection message, is not received after the second target time length, determining the total data amount of the data sent by the equipment to be connected in the target time period;
generating communication state information for representing communication abnormity with the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface,
the performing anomaly detection on the data packet sent by the device to be connected to generate anomaly detection information includes:
segmenting the target time period according to the preset size of the sliding window and the preset step length to generate a sub-target time period sequence;
determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, so as to obtain a first quantity value sequence;
determining a mean value sending data volume according to the first quantity value sequence;
selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods;
generating a first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean value sending data volume;
determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison;
generating a third anomaly degree numerical value through a pre-trained anomaly detection model and a data message sent by the equipment to be connected;
performing a weighted summation of the first anomaly magnitude value, the second anomaly magnitude value, and the third anomaly magnitude value to generate the anomaly detection information.
2. The method according to claim 1, wherein the determining a communication protocol included in the data packet sent by the device to be connected to generate communication protocol information includes:
and determining a communication protocol included in the data message sent by the equipment to be connected according to the protocol identifier carried by the data message sent by the equipment to be connected so as to generate communication protocol information.
3. The method of claim 2, wherein said binding a target communication protocol and a target communication address to said target interface comprises:
performing information association on the target communication protocol and the target interface to generate first association information;
and performing information association on the target communication address and the target interface to generate second association information.
4. A device binding apparatus comprising:
the device comprises an identification unit, a processing unit and a control unit, wherein the identification unit is configured to identify whether a device to be connected is in communication connection with a target interface;
the determining unit is configured to determine a communication protocol included in a data message sent by the device to be connected in response to the existence of the communication connection between the device to be connected and the target interface so as to generate communication protocol information;
a binding unit configured to bind a target communication protocol and a target communication address to the target interface, wherein the target communication protocol is a communication protocol corresponding to the communication type information, and the target communication address is a communication address corresponding to the device to be connected;
a communication unit configured to communicate with the device to be connected through the target interface in response to a successful binding;
a communication normality determining unit configured to determine whether communication with the device to be connected is normal to generate communication state information;
a rejection unit configured to reject communication with a device other than the device to be connected through the target interface in response to determining that the communication status information characterizes a communication interruption with the device to be connected;
the abnormality detection unit is configured to perform abnormality detection on the data message sent by the equipment to be connected so as to generate abnormality detection information;
the generating unit is configured to respond to the fact that the abnormity detection information represents that a data message sent by the equipment to be connected is abnormal, and generate alarm information;
a display unit configured to transmit the alert information to a target terminal for display,
wherein the determining whether the communication with the device to be connected is normal or not to generate communication state information includes:
responding to the data message sent by the equipment to be connected which is not received after the first target duration, and sending a first heartbeat detection message to the equipment to be connected;
generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the first heartbeat detection message;
responding to the situation that feedback information aiming at the first heartbeat detection message returned by the equipment to be connected is not received after a second target time length, and sending a second heartbeat detection message to the equipment to be connected;
generating communication state information for representing normal communication with the equipment to be connected in response to receiving feedback information which is returned by the equipment to be connected and aims at the second heartbeat detection message;
in response to that feedback information, which is returned by the equipment to be connected and aims at the second heartbeat detection message, is not received after the second target time length, determining the total data amount of the data sent by the equipment to be connected in the target time period;
generating communication state information for representing communication abnormity of the equipment to be connected in response to the fact that the total data amount is smaller than the data transmission threshold value corresponding to the target interface,
the performing anomaly detection on the data packet sent by the device to be connected to generate anomaly detection information includes:
segmenting the target time period according to the preset size of the sliding window and the preset step length to generate a sub-target time period sequence;
determining the data volume of the data sent by the equipment to be connected in each sub-target time period in the sub-target time period sequence to generate a first quantity value, so as to obtain a first quantity value sequence;
determining a mean value sending data volume according to the first quantity value sequence;
selecting the sub-target time periods meeting the screening condition from the sub-target time period sequence as candidate time periods;
generating a first abnormal degree value according to a first quantity value corresponding to the candidate time period and the mean value sending data volume;
determining a second abnormal degree value of the data message sent by the equipment to be connected through characteristic comparison;
generating a third anomaly degree numerical value through a pre-trained anomaly detection model and a data message sent by the equipment to be connected;
performing a weighted summation of the first anomaly magnitude value, the second anomaly magnitude value, and the third anomaly magnitude value to generate the anomaly detection information.
5. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-3.
6. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1 to 3.
CN202111587948.8A 2021-12-23 2021-12-23 Device binding method and device, electronic device and computer readable medium Active CN114499949B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111587948.8A CN114499949B (en) 2021-12-23 2021-12-23 Device binding method and device, electronic device and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111587948.8A CN114499949B (en) 2021-12-23 2021-12-23 Device binding method and device, electronic device and computer readable medium

Publications (2)

Publication Number Publication Date
CN114499949A CN114499949A (en) 2022-05-13
CN114499949B true CN114499949B (en) 2022-09-20

Family

ID=81494857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111587948.8A Active CN114499949B (en) 2021-12-23 2021-12-23 Device binding method and device, electronic device and computer readable medium

Country Status (1)

Country Link
CN (1) CN114499949B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1310478C (en) * 1999-02-23 2007-04-11 阿尔卡塔尔互联网运行公司 Multi-business network switch with independent protocol stack system structure
US8788823B1 (en) * 2003-09-03 2014-07-22 Cisco Technology, Inc. System and method for filtering network traffic
CN107438068B (en) * 2017-07-04 2019-12-06 杭州迪普科技股份有限公司 method and device for preventing ARP attack
CN110855634A (en) * 2019-10-24 2020-02-28 北京电信易通信息技术股份有限公司 Cross-network switching service system and method based on secure network
CN112422567B (en) * 2020-11-18 2022-11-15 清创网御(合肥)科技有限公司 Network intrusion detection method oriented to large flow

Also Published As

Publication number Publication date
CN114499949A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
US11902096B2 (en) Collection of error packet information for network policy enforcement
CN110383789B (en) Near real-time detection of suspicious outbound traffic
CN109829297B (en) Monitoring device, method and computer storage medium thereof
US20130340078A1 (en) Systems and methods for detecting and preventing flooding attacks in a network environment
US11777971B2 (en) Bind shell attack detection
CN109040140B (en) Slow attack detection method and device
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
Rathore et al. Hadoop based real-time intrusion detection for high-speed networks
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
CN112689167A (en) Method and device for detecting change of network camera
US9413598B2 (en) Graph structures for event matching
CN110740144A (en) Method, device, equipment and storage medium for determining attack target
CN114499949B (en) Device binding method and device, electronic device and computer readable medium
EP3338405B1 (en) System and method for detecting attacks on mobile ad hoc networks based on network flux
Gulomov et al. Method for security monitoring and special filtering traffic mode in info communication systems
CN110881016B (en) Network security threat assessment method and device
CN112532610B (en) Intrusion prevention detection method and device based on TCP segmentation
CN111079144B (en) Virus propagation behavior detection method and device
US7900255B1 (en) Pattern matching system, method and computer program product
CN114285621A (en) Network threat monitoring method and device and electronic equipment
CN114070634B (en) SMTP protocol-based secret stealing behavior detection method and device and electronic equipment
CN101312465A (en) Abnormal packet access point discovering method and device
CN112887213B (en) Message cleaning method and device
CN113515743B (en) Identification method and device for rebound shell process call chain and electronic device
Khaliq et al. Model-Based Framework for exploiting sensors of IoT devices using a Botnet: A case study with Android

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant