CN115834118A - Method and device for monitoring security of application software of power distribution internet of things terminal - Google Patents
Method and device for monitoring security of application software of power distribution internet of things terminal Download PDFInfo
- Publication number
- CN115834118A CN115834118A CN202211243291.8A CN202211243291A CN115834118A CN 115834118 A CN115834118 A CN 115834118A CN 202211243291 A CN202211243291 A CN 202211243291A CN 115834118 A CN115834118 A CN 115834118A
- Authority
- CN
- China
- Prior art keywords
- software
- internet
- information
- white list
- things terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The embodiment of the application provides a method and a device for monitoring the safety of application software of a power distribution internet of things terminal, which are applied to an internet of things terminal and comprise the following steps: acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal; the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics; matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list; in response to the presence of the unmatched characteristic, outputting alert information. The method and the device can monitor whether the running application software is abnormal or not by using the limited resources of the internet of things terminal, and ensure the normal running of the software on the internet of things terminal.
Description
Technical Field
The embodiment of the application relates to the technical field of Internet of things, in particular to a method and a device for monitoring the safety of application software of a power distribution Internet of things terminal.
Background
The power distribution network is a key link of a power system facing users, and with the application and development of the internet of things technology in the power distribution network, the internet of things terminal of the power distribution network bears important tasks of guaranteeing power consumption quality, power supply reliability, convenience and the like. Because the network environment is complex, the thing of access network allies oneself with the terminal and has the safety risk, in case the thing allies oneself with the terminal and appears unusually, can influence the normal function of thing allies oneself with the terminal, even influences the security of whole distribution network.
Disclosure of Invention
In view of this, an object of the embodiment of the present application is to provide a method and an apparatus for monitoring security of application software of a power distribution internet of things terminal, which can monitor whether the application software of the internet of things terminal is abnormal.
Based on the above purpose, the embodiment of the application provides a method for monitoring the safety of application software of a power distribution internet of things terminal, which is applied to an internet of things terminal and comprises the following steps:
acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal; wherein the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list;
in response to the presence of the unmatched characteristic, outputting alert information.
Optionally, before the terminal of the internet of things leaves the factory, the method further includes:
in the running process of the Internet of things terminal sample, obtaining the safe running characteristics of all application software;
according to the hardware attribute and the system attribute of the Internet of things terminal sample, dividing different types of Internet of things terminal samples and the safe operation characteristic corresponding to each type of Internet of things terminal sample;
and constructing a software white list corresponding to the corresponding type of the internet of things terminal according to the corresponding safe operation characteristics of the various types of the internet of things terminal samples.
Optionally, the authority feature includes user information of executable software and an authority type of the software; the dependency characteristics include third party library information on which software execution depends;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
respectively matching the user information and the authority type of the executable software with the user information and the authority type of the executable software in the software white list;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and matching the third-party library information depended by the software execution with the third-party library information in the software white list.
Optionally, the access characteristics include an absolute path of a file accessed by software, a peripheral identifier, network information, and a system call type;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the absolute path, the peripheral identification, the network information and the system calling type of the file accessed by the software with the absolute path, the peripheral identification, the network information and the system calling type of the accessible file in the software white list.
Optionally, the attribute features include a software name, an installation path, owner information, a digest value, creation time, modification time, and an occupied space;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupied space with the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupied space in the software white list.
Optionally, the resource characteristics include CPU occupation and memory occupation in software operation;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the CPU occupation amount and the memory occupation amount in the software running with the CPU occupation amount range and the memory occupation amount range in the software white list.
Optionally, when the application software is updated, the method further includes:
acquiring the safe operation characteristics of updated application software in the operation process of the Internet of things terminal sample;
and updating the software white list according to the updated safe operation characteristics.
Optionally, the method further includes: acquiring process information of application software; after obtaining the current operating characteristics of all the application software, the method further includes:
constructing a hash table for storing the network information and the process information by taking the object identification associated with the network information and the process information as an index value; alternatively, the first and second electrodes may be,
and generating an index value based on the source port number and the destination port number in the network information, and constructing a hash table.
Optionally, the outputting the alarm information in response to the unmatched characteristic includes:
and responding to the unmatched characteristics, and outputting alarm information to the Internet of things server according to a preset alarm mode, wherein the alarm information comprises a terminal identifier of the Internet of things terminal and an abnormal state code corresponding to the unmatched characteristics.
The embodiment of the application also provides a device for monitoring the safety of the application software of the power distribution internet of things terminal, which comprises the following steps:
the acquisition module is used for acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal; wherein the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics;
the matching module is used for matching the current operation characteristics with corresponding characteristics in a pre-constructed software white list;
and the output module is used for responding to the unmatched characteristics and outputting alarm information.
As can be seen from the above, according to the method and the device for monitoring the security of the application software of the power distribution internet of things terminal provided by the embodiment of the application, in the operation process of the internet of things terminal, the current operation characteristics of all the application software are obtained, the current operation characteristics are matched with the corresponding characteristics in the pre-constructed software white list, and if unmatched characteristics exist, alarm information is output. The method and the device can monitor whether the running application software is abnormal or not by using the limited resources of the internet of things terminal, and ensure the normal running of the software on the internet of things terminal.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only the embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As shown in fig. 1, an embodiment of the present application provides a method for monitoring security of application software of a power distribution internet of things terminal, which is applied to an internet of things terminal, and includes:
s101: acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal;
in this embodiment, the internet of things terminal is provided with lightweight monitoring software, and in the operation process of the internet of things terminal, the monitoring software is used for acquiring the current operation characteristics of all application software on the internet of things terminal in real time.
The current operation characteristics comprise authority characteristics, access characteristics, dependency characteristics, attribute characteristics and resource characteristics. The authority characteristics of the software comprise user information of executable software, divided authority types, such as administrator authority, general user authority and the like which are divided according to user identities.
The access characteristics of the software comprise an absolute path of a file accessed by the software, a peripheral identification accessed by the software, network information accessed by the software and a system call type accessed by the software. For example, the absolute path of the log file accessed in the software running process in the system, the absolute path of the system file accessed in the system, etc., the identification of the accessed external device, and the accessed network information (including IP address, port number, protocol type, connection status, etc.). Optionally, according to the configuration of the internet of things terminal, the external device may include a serial port, a USB interface, a network interface, a 485 communication interface, a wireless module (e.g., a bluetooth module, a WiFi module, etc.), a communication module (e.g., a 4G module), and the like. System calls that software may call include exit, fork, open, read, wirte, kill, rmdir, rename, and so forth.
The dependent features of the software include third party library information, e.g., third party library name, version number, on which the software is dependent for execution. The resource characteristics of the software comprise a CPU occupation amount range and a memory occupation amount range in the running process of the software. The attribute characteristics of the software include a software name, an installation path, owner information, a digest value, a creation time, a modification time, a space occupied, and the like.
S102: matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list;
in this embodiment, each feature in the current operating features is matched with a corresponding feature in the software white list item by item. Specifically, for the digest value of the software, if the calculation is performed once for each matching, a large amount of calculation resources are consumed, and the system performance is affected, so that in order to improve the system performance, the calculation is not performed once for each matching, but when the modification time of the software changes, the digest value is calculated, and the matching is performed based on the calculated digest value.
S103: in response to the presence of the unmatched characteristic, outputting alert information.
In this embodiment, after the current operating characteristics of the software are obtained, each characteristic is respectively matched with a corresponding characteristic in the software white list, if each characteristic is matched with a corresponding characteristic in the software white list, the software is not abnormal, and if one or more characteristics are not matched with corresponding characteristics in the software white list, the software corresponding to the unmatched characteristics is abnormal, and alarm information is output aiming at the abnormality.
According to the method for monitoring the safety of the application software of the power distribution Internet of things terminal, for the Internet of things terminal of the Internet of things, the problem that the resource configuration of the Internet of things terminal is not high and the processing capacity is limited is solved, and all application software running on the Internet of things terminal is subjected to abnormity detection by using locally-installed lightweight monitoring software. In the operation process of the internet of things terminal, the monitoring software acquires the current operation characteristics of all application software, compares each characteristic with the corresponding characteristic in the software white list respectively, judges whether the characteristic is matched with the corresponding characteristic in the software white list, if all the characteristics are matched, all the application software of the internet of things terminal operates normally, and is not abnormal, if one or more characteristics are not matched, the software corresponding to the unmatched characteristics is abnormal, and outputs alarm information in time.
In some embodiments, the software white list is constructed before the terminal of the internet of things leaves the factory, and the method includes:
in the running process of the Internet of things terminal sample, obtaining the safe running characteristics of all application software;
according to the hardware attribute and the system attribute of the Internet of things terminal sample, dividing different types of Internet of things terminal samples and the safe operation characteristics corresponding to the various types of Internet of things terminal samples;
and constructing a software white list corresponding to the corresponding type of the internet of things terminal according to the corresponding safe operation characteristics of the various types of the internet of things terminal samples.
In this embodiment, before the delivery of the terminal of the internet of things, in the pre-operation process of the terminal of the internet of things, the safe operation features of all application software are obtained, the safe operation features are authority features, access features, dependency features, attribute features and resource features of the terminal of the internet of things in the operation process in a safe environment, and a software white list is constructed by taking the safe operation features as a reference. Because the internet of things terminals in the internet of things are various in types, various terminals are different in aspects of hardware resources, system configuration, functions and the like, and application software installed on various internet of things terminals is also different. Therefore, in order to construct a software white list for different types of Internet of things terminals, one or more Internet of things terminals are selected from the various types of Internet of things terminals as samples, the selected Internet of things terminal samples are operated before leaving a factory, and the safe operation characteristics of the Internet of things terminal samples are collected in the operation process; and then, classifying the collected safe operation characteristics according to the hardware attributes and the system attributes of the sample of the Internet of things terminal, wherein the hardware attributes comprise hardware configuration, model number and the like, the system attributes comprise operating system type, version number and the like, namely, according to the hardware and software configuration of the Internet of things terminal, the safe operation characteristics of the same type of Internet of things terminal are classified into one type, the safe operation characteristics of the same type are subjected to duplication elimination processing to obtain the safe operation characteristics of one type of Internet of things terminal, and a software white list corresponding to different types of Internet of things terminals is constructed according to the processed safe operation characteristics.
In some embodiments, the privilege characteristics of the software include user information of the executable software and the types of privileges that the software has;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, comprising:
and respectively matching the user information and the authority type of the executable software with the user information and the authority type of the executable software in the software white list.
In the embodiment, for the authority characteristics of the software, the acquired user information of the executable software is matched with the corresponding user information in the software white list, the acquired authority types are matched with the corresponding authority types in the software white list, whether the authority characteristics are in the white list or not is judged, and if the authority characteristics can be matched, the authority characteristics of the software are not abnormal; if there are unmatched features, then there is an exception to the software.
In some embodiments, the access characteristics include an absolute path of a file accessed by the software, peripheral identification, network information, and a system call type;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, comprising:
and respectively matching the absolute path, the peripheral identification, the network information and the system calling type of the file accessed by the software with the absolute path, the peripheral identification, the network information and the system calling type of the accessible file in the software white list.
In this embodiment, for the access feature of the software, the obtained absolute path of the file accessed by the software is matched with the absolute path of the file accessible by the software in the software white list, the obtained peripheral identifier accessed by the software is matched with the peripheral identifier accessible by the software in the software white list, the obtained network information accessed by the software is matched with the network information accessible by the software in the software white list, the obtained system call type accessed by the software is matched with the system call type accessible by the software in the software white list, whether each access feature is in the white list or not is judged, and if the access feature can be matched, the access feature of the software is not abnormal; if there are unmatched features, then there is an exception to the software.
In some embodiments, the dependency characteristics include third party library information upon which software execution depends;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, comprising:
and matching the third-party library information depended by the software execution with the third-party library information in the software white list.
In the embodiment, for the dependence characteristics of the software, the obtained third-party library information on which the software depends is matched with the corresponding third-party library information in the white list of the software, whether the dependence characteristics are in the white list or not is judged, and if the dependence characteristics of the software can be matched, the dependence characteristics of the software are not abnormal; if there are unmatched features, then there is an exception to the software.
In some embodiments, the attribute characteristics include software name, installation path, owner information, digest value, creation time, modification time, and footprint;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, comprising:
and respectively matching the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupation space with the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupation space in the software white list.
In the embodiment, for the attribute characteristics of the software, the acquired software name, installation path, owner information, abstract value, creation time, modification time and occupied space are respectively matched with the corresponding software attribute characteristics in a software white list, whether the attribute characteristics are in the white list or not is judged, and if the attribute characteristics can be matched, the attribute characteristics of the software are not abnormal; if there are unmatched features, then there is an exception to the software.
In some embodiments, the resource characteristics include CPU occupancy and memory occupancy in software operation;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, comprising:
and respectively matching the CPU occupation amount and the memory occupation amount in the software operation with the CPU occupation amount range and the memory occupation amount range in the software white list.
In the embodiment, for the resource characteristics of software, the acquired usage amount of the CPU occupied in the software execution process is compared with the usage amount range of the CPU in the software white list, the acquired usage amount of the software occupied in the software execution process is compared with the usage amount range of the CPU in the software white list, whether the CPU occupancy is within the CPU occupancy range or not and whether the memory occupancy is within the memory occupancy range or not are judged, and if the CPU occupancy is within the memory occupancy range or not, the resource characteristics of the software are not abnormal; and if the CPU occupation amount or the memory occupation amount exceeds the range, the software has an exception.
In some embodiments, when the application software is updated, the method further comprises:
acquiring the safe operation characteristics of updated application software in the operation process of the Internet of things terminal sample; and updating the software white list according to the updated safe operation characteristics.
In this embodiment, when the application software in the internet of things terminal is updated, the updated application software is run in the internet of things terminal sample, the safe running characteristic of the updated application software is collected, and the software white list is updated according to the safe running characteristic. When the method is used, the application software in the internet of things terminal is updated firstly, then the updated software white list is downloaded to the internet of things terminal, and when the updated application software is operated, the internet of things terminal performs detection by using the updated software white list. In some modes, if the alarm field is set in the software white list, before the application software and the software white list are updated, the alarm is closed by setting the value of the alarm field, and after the application software and the software white list are updated, the alarm field of the updated software white list is set to start the alarm.
In some embodiments, when network information (including an IP address, a port number, a protocol type, a connection state, and the like) in access features of all application software is acquired, a Netlink socket is used to interact with an operating system kernel to acquire each feature. In some modes, when the kernel of the operating system of the terminal does not support the Netlink socket function, the current operating characteristic can be acquired by adopting a command word or a mode of reading a system file.
In some modes, the connection state of the network can be interactively acquired through a Netlink socket and an operating system kernel, the process information of the software can be acquired through traversing a proc folder in the system, and the two are associated through an object identifier (socket inode value). In general, connection status and process information are maintained using independent data structures, both of which contain socket inode values, and associated synchronization operations (e.g., adding, deleting, and checking two data structures synchronously) of network information and process information are performed by matching the socket inode values in the two data structures, and the algorithm complexity is O (n).
In consideration of the limited computing and storage resources of the internet of things terminal, in order to reduce the complexity of the algorithm, the network information and the process information associated with the network information are stored by using the hash table, the index value of the hash table can use a socket inode value, the index value can also be generated according to the network information, the hash table is searched according to the index value, and the storage space for storing the network information and the process information associated with the network information is determined. In this way, the complexity of the algorithm can be reduced to O (1) by using a method of hash table storage and operation without constructing a data structure for the network information and the process information respectively.
In some modes, network information of software is obtained through interaction between a Netlink socket and an operating system kernel, process information (an absolute path, whether the software is located in a docker or not and the like) of the software is obtained through traversing/proc directories, and the obtained network information and the obtained process information are stored in a hash table by taking an object identifier as an index value. During operation, the hash table is searched according to the object identifier, the corresponding storage space is determined, the network information and the process information are read from the storage space, and all or part of the current running characteristics of the software can be stored in the hash table according to needs. This approach facilitates querying network information through process information.
In other manners, the hash key may be calculated according to the source port number and the destination port number, and then the index value may be calculated by using a hash function according to the hash key. During operation, the hash table is queried according to the source port number and the destination port number in the network information, a corresponding storage space is determined, and the required process information is read from the storage space. This approach facilitates querying process information via network information. The complexity of the two hash tables is O (1).
In some embodiments, the authority characteristics and attribute characteristics of the software can be obtained by acquiring and analyzing system files (file path:/proc/< process ID >/status files, proc/< process ID >/exe files), and acquiring the creation time and modification time of the software by calling a stat interface. For the access characteristics of the software, the open, write, read, close system call of the process can be tracked through the ptrace interface to obtain the accessed file operation information and peripheral identification, the Elf _ Ehdr, elf _ Phdr data structure and the dlopen interface are obtained through obtaining and analyzing to obtain the path of the software, and the resource characteristics of the software are obtained through obtaining and analyzing to obtain and analyze the system file (file path:/proc/< PID >/stat file).
In some embodiments, through the matching detection of the software white list, when a certain feature is not matched, the current operating feature of the software and the abnormal state code are output, and the abnormal state code may be different according to the unmatched feature item, for example, the abnormal state code 1 indicates that illegal software is newly added, the abnormal state code 2 indicates that the software in the software white list is not operated, the abnormal state code 3 indicates that the application software is operated by an illegal user, the abnormal state code 4 indicates that the user authority owned by the application software is modified, the abnormal state code 5 indicates that the application software accesses files which the application software does not have access right, the abnormal state code 6 indicates that the application software accesses peripherals which the application software does not have access right, the abnormal state code 7 indicates that the application software accesses IP addresses or port numbers which the application software does not have access right, the abnormal state code 8 indicates that the application software calls systems which do not have access right, the abnormal state code 9 represents that the installation path of the application software is modified, the abnormal state code 10 represents that the abstract value of the application software is modified, the abnormal state code 11 represents that the application software calls a third-party library which is not called by the application software, the abnormal state code 12 represents that the CPU usage amount occupied by the application software exceeds the CPU usage amount range in the white list, the abnormal state code 13 represents that the memory usage amount of the application software exceeds the memory usage amount range in the white list, the abnormal state code 14 represents that the owner or all groups of the application software is different from the information of the owner in the white list, and the abnormal state code 15 represents that the creation time, the modification time and the occupied space of the application software are different from the creation time, the modification time and the occupied space in the white list.
In some modes, an alarm field is further set in the software white list corresponding to each application software, and the alarm function is turned on or turned off by setting the value of the alarm field. For example, the alarm field of the application software is open, and in the process of matching with the software white list, if a certain characteristic of the application software is not matched, alarm information related to the application software is output, wherein the alarm information includes a detected abnormal state code, so that the test and the abnormal positioning are facilitated. Optionally, a time interval for outputting the alarm information and a maximum alarm frequency may be set, when an abnormality occurs, the alarm information is output at intervals, when the output frequency reaches the maximum alarm frequency, the alarm information is not output any more, the time interval may be a time interval with equal time, or may be a time interval with a certain mathematical relationship, for example, a time interval with a time multiple relationship (adjacent time intervals are multiple relationships), or a time interval with a time index relationship (adjacent time intervals are index relationships), and the like, and a specific manner is not limited.
Each application software in the software white list can set a corresponding alarm mode respectively, different application software can set different alarm time intervals, maximum alarm times and the like according to the specific type and the importance level of software implementation, and the specific configuration mode is not limited. For example, some user-oriented business-related software needs to alarm in a high-frequency and unlimited manner to remind the operation and maintenance personnel to remove risks as soon as possible. Some software may be of low importance and may be alerted in a low frequency, limited manner, and some software may be of low importance and may be configured to not require alerting.
In some modes, when the internet of things terminal detects that the software is abnormal, alarm information is sent to the internet of things server according to a preset alarm mode, wherein the alarm information can comprise a terminal identifier of the internet of things terminal, an abnormal state code of the software and the like, and the internet of things server can conveniently monitor and manage all the internet of things terminals in a network.
It should be noted that the above description describes certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As shown in fig. 2, an embodiment of the present application further provides a device for monitoring security of application software of a power distribution internet of things terminal, including:
the acquisition module is used for acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal; the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics;
the matching module is used for matching the current running characteristic with the corresponding characteristic in a pre-constructed software white list;
and the output module is used for responding to the unmatched characteristics and outputting the alarm information.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functions of the modules may be implemented in the same or multiple software and/or hardware when implementing the embodiments of the present application.
The apparatus in the foregoing embodiment is used for implementing the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 3 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static Memory device, a dynamic Memory device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solutions provided by the embodiments of the present specification are implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called by the processor 1010 for execution.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various sensors, etc., and the output devices may include a display, speaker, vibrator, indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present disclosure are intended to be included within the scope of the disclosure.
Claims (10)
1. A method for monitoring the safety of application software of a power distribution Internet of things terminal is applied to an Internet of things terminal, and is characterized by comprising the following steps:
acquiring the current operation characteristics of all application software in the operation process of the internet of things terminal; wherein the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list;
in response to the presence of the unmatched characteristic, outputting alert information.
2. The method according to claim 1, further comprising, before shipment of the terminal, the steps of:
in the operation process of the Internet of things terminal sample, acquiring the safe operation characteristics of all application software;
according to the hardware attribute and the system attribute of the Internet of things terminal sample, dividing different types of Internet of things terminal samples and the safe operation characteristics corresponding to the various types of Internet of things terminal samples;
and constructing a software white list corresponding to the corresponding type of the internet of things terminal according to the corresponding safe operation characteristics of the various types of the internet of things terminal samples.
3. The method of claim 1, wherein the privilege characteristics comprise user information of executable software and a privilege type of the software; the dependency characteristics include third party library information upon which software execution depends;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
respectively matching the user information and the authority type of the executable software with the user information and the authority type of the executable software in the software white list;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and matching the third-party library information depended by the software execution with the third-party library information in the software white list.
4. The method of claim 1, wherein the access characteristics include an absolute path of a file accessed by the software, peripheral identification, network information, a type of system call;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the absolute path, the peripheral identification, the network information and the system calling type of the file accessed by the software with the absolute path, the peripheral identification, the network information and the system calling type of the accessible file in the software white list.
5. The method of claim 1, wherein the attribute characteristics include software name, installation path, owner information, digest value, creation time, modification time, and footprint;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupied space with the software name, the installation path, the owner information, the abstract value, the creation time, the modification time and the occupied space in the software white list.
6. The method of claim 1, wherein the resource characteristics include CPU footprint, memory footprint in software execution;
matching the current operating characteristics with corresponding characteristics in a pre-constructed software white list, including:
and respectively matching the CPU occupation amount and the memory occupation amount in the software running with the CPU occupation amount range and the memory occupation amount range in the software white list.
7. The method of claim 1, when the application software is updated, further comprising:
acquiring the safe operation characteristics of updated application software in the operation process of the Internet of things terminal sample;
and updating the software white list according to the updated safe operation characteristics.
8. The method of claim 4, further comprising: acquiring process information of application software; after obtaining the current operating characteristics of all the application software, the method further includes:
constructing a hash table for storing the network information and the process information by taking the object identification associated with the network information and the process information as an index value; alternatively, the first and second electrodes may be,
and generating an index value based on the source port number and the destination port number in the network information, and constructing a hash table.
9. The method of claim 1, wherein outputting alert information in response to the presence of unmatched features comprises:
and responding to the unmatched characteristics, and outputting alarm information to the Internet of things server according to a preset alarm mode, wherein the alarm information comprises a terminal identifier of the Internet of things terminal and an abnormal state code corresponding to the unmatched characteristics.
10. The utility model provides a device of monitoring distribution thing networking terminal application software safety which characterized in that includes:
the acquisition module is used for acquiring the current operation characteristics of all application software in the operation process of the Internet of things terminal; wherein the current operation characteristics comprise authority characteristics, access characteristics, dependence characteristics, attribute characteristics and resource characteristics;
the matching module is used for matching the current operation characteristics with corresponding characteristics in a pre-constructed software white list;
and the output module is used for responding to the unmatched characteristics and outputting the alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211243291.8A CN115834118A (en) | 2022-10-11 | 2022-10-11 | Method and device for monitoring security of application software of power distribution internet of things terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211243291.8A CN115834118A (en) | 2022-10-11 | 2022-10-11 | Method and device for monitoring security of application software of power distribution internet of things terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834118A true CN115834118A (en) | 2023-03-21 |
Family
ID=85524621
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211243291.8A Pending CN115834118A (en) | 2022-10-11 | 2022-10-11 | Method and device for monitoring security of application software of power distribution internet of things terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834118A (en) |
-
2022
- 2022-10-11 CN CN202211243291.8A patent/CN115834118A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10509689B2 (en) | Method for processing application and terminal | |
| CN107729452B (en) | Webpage loading method and device, electronic equipment and computer readable storage medium | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN104115117A (en) | Automatic synthesis of unit tests for security testing | |
| CN111031035A (en) | Sensitive data access behavior monitoring method and device | |
| CN106843912B (en) | Page information acquisition method and device | |
| CN111930588A (en) | Process monitoring method, device, equipment and storage medium | |
| US20090094670A1 (en) | Security apparatus and method for all-in-one mobile device using security profile | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN111343267B (en) | Configuration management method and system | |
| US10817601B2 (en) | Hypervisor enforcement of cryptographic policy | |
| WO2024078348A1 (en) | Method and apparatus for processing registry operation in application porting environment, and medium | |
| CN115834118A (en) | Method and device for monitoring security of application software of power distribution internet of things terminal | |
| CN103514402A (en) | Intrusion detection method and device | |
| CN116628773A (en) | Data processing method, device, electronic equipment and storage medium | |
| CN115080955A (en) | Target data filtering method and device, electronic equipment and storage medium | |
| US10162488B1 (en) | Browser-based media scan | |
| KR101582420B1 (en) | Method and apparatus for checking integrity of processing module | |
| CN115033551A (en) | Database migration method and device, electronic equipment and storage medium | |
| CN112487414B (en) | Method, device, equipment and storage medium for acquiring process command line | |
| CN113656378A (en) | Server management method, device and medium | |
| US10911305B2 (en) | Efficient rule processing for device management data evaluation | |
| JP6293966B2 (en) | Database management apparatus, database management method, and database management program | |
| EP3192225A1 (en) | Information object system | |
| CN114826726B (en) | Network asset vulnerability detection method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |