CN116545780B - Internet of Things security assessment method, device and system based on virtual threat distribution - Google Patents

Internet of Things security assessment method, device and system based on virtual threat distribution Download PDF

Info

Publication number
CN116545780B
CN116545780B CN202310823996.5A CN202310823996A CN116545780B CN 116545780 B CN116545780 B CN 116545780B CN 202310823996 A CN202310823996 A CN 202310823996A CN 116545780 B CN116545780 B CN 116545780B
Authority
CN
China
Prior art keywords
terminal equipment
internet
target
address
scanned
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310823996.5A
Other languages
Chinese (zh)
Other versions
CN116545780A (en
Inventor
周少鹏
王滨
朱伟康
王旭
毕志城
张峰
李超豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202310823996.5A priority Critical patent/CN116545780B/en
Publication of CN116545780A publication Critical patent/CN116545780A/en
Application granted granted Critical
Publication of CN116545780B publication Critical patent/CN116545780B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an internet of things security assessment method, device and system based on virtual threat distribution, wherein the method comprises the following steps: acquiring an IP address network segment of an Internet of things system to be evaluated; generating a sub-network segment to be scanned according to the IP address network segment of any Internet of things system to be evaluated; scanning the sub-network segment to be scanned, and determining target terminal equipment in the sub-network segment to be scanned; for any target terminal equipment, injecting a target command into the target terminal equipment so that the target terminal equipment downloads and loads virtual threat software matched with an operating system framework of the equipment according to the target command; and carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system. The method can realize the security assessment of the environment of the Internet of things under the condition of no damage to the environment of the Internet of things.

Description

Internet of things security assessment method, device and system based on virtual threat distribution
Technical Field
The application relates to the technical field of information security, in particular to an internet of things security assessment method, device and system based on virtual threat distribution.
Background
With the development of the technology of the Internet of things, the scale of the Internet of things is gradually enlarged, and accordingly the safety event of the Internet of things is gradually increased, and the phenomenon that the Internet of things is attacked frequently occurs.
In the aspect of the infrastructure security of the internet of things, security assessment needs to be performed to find security problems so as to take measures in advance.
How to realize security assessment for the internet of things system becomes a technical problem to be solved urgently.
Disclosure of Invention
In view of the above, the application provides an internet of things security assessment method, device and system based on virtual threat distribution.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided an internet of things security assessment method based on virtual threat distribution, applied to a central server, the method including:
acquiring an IP address network segment of an Internet of things system to be evaluated;
generating a sub-network segment to be scanned according to the IP address network segment of any Internet of things system to be evaluated;
scanning the sub-network segment to be scanned, and determining target terminal equipment in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
For any target terminal equipment, injecting a target command into the target terminal equipment so that the target terminal equipment downloads and loads virtual threat software matched with an operating system framework of the equipment according to the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment through the target terminal equipment and returns the security evaluation basic data to the central server in the process of running in the target terminal equipment;
and carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
According to a second aspect of the embodiment of the present application, there is provided an internet of things security assessment method based on virtual threat distribution, applied to a terminal device, the method comprising:
receiving a target command; the target command is injected into the terminal equipment under the condition that the central server scans the sub-network segment to be scanned and determines that the terminal equipment is the target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by the central server according to the acquired IP address network segment of the internet of things to be evaluated; or the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is an Internet of things terminal equipment which is opened and assigned with a public service port and/or has a specified available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
Downloading and loading virtual threat software matched with an operating system frame of the equipment according to the target command, and running the virtual threat software to collect security evaluation basic data of the equipment and transmit the security evaluation basic data back to a central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated.
According to a third aspect of an embodiment of the present application, there is provided an internet of things security assessment device based on virtual threat distribution, deployed at a central server, the device comprising:
the acquisition unit is used for acquiring an IP address network segment of the system of the Internet of things to be evaluated;
the generating unit is used for generating a sub-network segment to be scanned according to the IP address network segment of any Internet of things system to be evaluated;
the determining unit is used for scanning the sub-network segment to be scanned and determining target terminal equipment in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
The injection unit is used for injecting a target command to any target terminal device so that the target terminal device downloads and loads virtual threat software matched with an operating system frame of the device according to the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment through the target terminal equipment and returns the security evaluation basic data to the central server in the process of running in the target terminal equipment;
the evaluation unit is used for carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
According to a fourth aspect of an embodiment of the present application, there is provided an internet of things security assessment apparatus based on virtual threat distribution, deployed at a terminal device, the apparatus comprising:
a receiving unit configured to receive a target command; the target command is injected into the terminal equipment under the condition that the central server scans the sub-network segment to be scanned and determines that the terminal equipment is the target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by the central server according to the acquired IP address network segment of the internet of things to be evaluated; or the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is an Internet of things terminal equipment which is opened and assigned with a public service port and/or has a specified available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
The downloading unit is used for downloading and loading virtual threat software matched with the operating system framework of the equipment according to the target command;
the operation unit is used for operating the virtual threat software to collect the security evaluation basic data of the terminal equipment and transmit the data back to the central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated.
According to a fifth aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
and a processor configured to implement the method according to the first aspect or the second aspect when executing the program stored in the memory.
According to a sixth aspect of an embodiment of the present application, there is provided an internet of things security assessment system based on virtual threat distribution, including: a center server and a terminal device; wherein:
the center server is used for acquiring an IP address network segment of the Internet of things system to be evaluated;
the center server is further used for generating a sub-network segment to be scanned according to the IP address network segment of any to-be-evaluated Internet of things system;
The central server is further configured to scan the subnet segment to be scanned, and determine a target terminal device in the subnet segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
the central server is further used for injecting a target command to any target terminal device;
the terminal equipment is used for downloading and loading virtual threat software matched with the operating system framework of the equipment under the condition of receiving the target command, and running the virtual threat software so as to collect the security evaluation basic data of the equipment and transmit the security evaluation basic data back to the central server;
the center server is further used for carrying out security assessment on the to-be-assessed internet of things system according to the collected security assessment basic data of each target terminal device in the to-be-assessed internet of things system.
According to the Internet of things security assessment method based on virtual threat distribution, through obtaining the IP address network segments of the Internet of things system to be assessed, generating a sub-network segment to be scanned according to the IP address network segments of any Internet of things system to be assessed, scanning the sub-network segment to be scanned, determining target terminal equipment in the sub-network segment to be scanned, and further, injecting a target command to any target terminal equipment; under the condition that the terminal equipment receives the target command, downloading and loading virtual threat software matched with an operating system frame of the equipment according to the target command, running the virtual threat software to collect security evaluation basic data of the target terminal equipment and returning the security evaluation basic data to a central server, and performing security evaluation on the system of the Internet of things to be evaluated by the central server according to the collected security evaluation basic data of each target terminal equipment in the system of the Internet of things to be evaluated, thereby realizing security evaluation on the environment of the Internet of things; in addition, through utilizing virtual threat software to realize equipment infection and data collection, the safety assessment of the Internet of things environment is realized under the condition of no damage to the Internet of things environment.
Drawings
FIG. 1 is a flow chart of an Internet of things security assessment method based on virtual threat distribution according to an exemplary embodiment of the application;
FIG. 2 is a flow chart of an Internet of things security assessment method based on virtual threat distribution according to an exemplary embodiment of the application;
FIG. 3 is a schematic structural diagram of an Internet of things security assessment device based on virtual threat distribution according to an exemplary embodiment of the present application;
FIG. 4 is a schematic structural diagram of an Internet of things security assessment device based on virtual threat distribution according to an exemplary embodiment of the present application;
FIG. 5 is a schematic structural diagram of an Internet of things security assessment device based on virtual threat distribution according to an exemplary embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application;
fig. 8 is a schematic structural diagram of an internet of things security assessment system based on virtual threat distribution according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to better understand the technical solution provided by the embodiments of the present application and make the above objects, features and advantages of the embodiments of the present application more obvious, the technical solution in the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a flow chart of an internet of things security assessment method based on virtual threat distribution provided by an embodiment of the present application is shown, where the method may be applied to a central server, and as shown in fig. 1, the internet of things security assessment method based on virtual threat distribution may include the following steps:
and step S100, acquiring an IP address network segment of the system of the Internet of things to be evaluated.
Step S110, for any Internet of things system IP address network segment, generating a sub-network segment to be scanned according to the Internet of things system IP address network segment.
Illustratively, the internet of things system IP address network segment under evaluation may include one or more network segments.
For example, for any one of the internet of things system IP address segments to be evaluated, one or more sub-segments to be scanned may be generated.
For example, the IP address network segments of the internet of things system to be evaluated may include one or more class B network segments, and for any one of the IP address network segments of the internet of things system to be evaluated, the corresponding sub-network segment to be scanned may include one or more class C network segments.
Step S120, scanning the sub-network segment to be scanned, and determining target terminal equipment in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things with public service ports specified by opening and/or the security problems specified to be available; the public service port is designated as the public service port which can be accessed without authorization, and the available security problem is designated as the security problem which can acquire the execution authority of the terminal command.
In the embodiment of the application, for any sub-network segment to be scanned, the target terminal equipment in the sub-network segment to be scanned can be determined by scanning each IP address in the sub-network segment to be scanned.
In one example, each IP address in the subnet section to be scanned may be determined, whether the internet of things terminal corresponding to each IP address is open to the designated public service port may be determined, and the internet of things terminal open to the designated public service port may be determined as the target terminal device.
The public service port is designated as a public service port which can be accessed without authorization, namely, the public service port which can be accessed without using a user name and a password, or the public service port which can be accessed by using a default user name and password, or the public service port which can be accessed by using a weak password.
Where a weak password refers to a password that contains only simple numbers and letters, such as "123456", "abc", etc., is easily broken.
In another example, each IP address in the subnet section to be scanned may be determined, whether the internet of things terminal corresponding to each IP address has the specified available security problem may be determined, and the internet of things terminal having the specified available security problem may be determined as the target terminal device.
The available security questions are designated as security questions capable of acquiring the command execution authority of the terminal, such as command injection security questions, code execution security questions and the like.
Step S130, for any target terminal device, a target command is injected into the target terminal device, so that the target terminal device downloads and loads virtual threat software matched with an operating system framework of the device according to the target command; and in the process of running the virtual threat software in the target terminal equipment, collecting the security evaluation basic data of the target terminal equipment through the target terminal equipment and returning the security evaluation basic data to the central server.
In the embodiment of the application, for the target terminal equipment, the target command can be injected into the target terminal equipment in an end-to-end command injection mode.
The target command is used for indicating the target terminal equipment to download and load virtual threat software matched with the operating system framework of the target terminal equipment.
Illustratively, compared with traditional malicious software, the virtual threat software cuts out the device utilization function of the traditional malicious software (i.e. does not make malicious purpose use of the device, does not make device utilization and resource consumption), and newly adds the route topology detection and data statistics back-pass function. The virtual threat software simulates the attack on the device and does not cause the actual attack influence.
In one example, for any target terminal device, the operating system architecture information of the target terminal device may be acquired, and a corresponding target command may be injected into the target terminal device according to the operating system architecture information of the target terminal device.
In another example, when the target command is injected, the target terminal device may send a virtual threat software download request to the central server (for storing and distributing the virtual threat software) according to the target command, where the download request may carry operating system architecture information of the target terminal device, and the central server may distribute the virtual threat software matched with the operating system architecture of the target terminal device to the target terminal device.
For example, the target terminal device may obtain an installation package (binary file) of the virtual threat software that matches the operating system framework of the present device based on the target command, and load the virtual threat software based on the installation package.
In the embodiment of the application, in the process of running the virtual threat software in the target terminal equipment, the target terminal equipment can collect the security evaluation basic data of the equipment and transmit the security evaluation basic data back to the central server.
By way of example, the security assessment base data may include, but is not limited to, some or all of device data, network topology data, security problem data, weak password data, and the like.
The device data may include, but is not limited to, some or all of device IP address, MAC (Media Access Control ) address, device name, version, signal, etc.
The network topology data may include connection relationships between devices, locations of devices in the network, and the like.
The security issue data may include security issue information present in the scan-determined device.
The weak password data may include information such as a user name and password of the device.
And step 140, carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
According to the method and the device for evaluating the security of the Internet of things to be evaluated, under the condition that all devices in the Internet of things to be evaluated are scanned, the security evaluation of the Internet of things to be evaluated can be performed according to the collected security evaluation basic data of each target terminal device in the Internet of things to be evaluated.
In some embodiments, the security assessment base data includes: some or all of device data, network topology data, security problem data, weak password data;
the performing the security evaluation on the internet of things system to be evaluated according to the collected security evaluation basic data of each target terminal device in the internet of things system to be evaluated may include:
under the condition that the security evaluation basic data comprises equipment data, determining the equipment infection rate of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal equipment in the to-be-evaluated Internet of things system; wherein the device data includes IP addresses, and the device infection rate includes a ratio of the number of IP addresses of the target terminal device to the total number of IP addresses of the device to be scanned;
and/or the number of the groups of groups,
under the condition that the security evaluation basic data comprises network topology data, determining the infection network position of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system;
And/or the number of the groups of groups,
under the condition that the security evaluation basic data comprises security problem data and/or weak password data, determining the problem type of the to-be-evaluated Internet of things system according to the security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
For example, in the case where the security evaluation base data includes device data including IP addresses, the center server may determine the number of IP addresses of infected terminal devices (i.e., the number of infected terminal devices) from the collected device data, and determine the ratio of the number of IP addresses of infected terminal devices to the total number of IP addresses of devices to be scanned as the device infection rate.
In one example, the total number of IP addresses of the devices to be scanned may be determined from a user-provided list of devices (or referred to as an asset list) in the internet of things system to be scanned.
In another example, the total number of IP addresses of the devices to be scanned may be counted in real time during the scanning, i.e. the number of IP addresses of the scanned terminal devices is counted during the scanning.
For example, in the case where the security evaluation base data includes network topology data, the central server may determine an infected network location of the to-be-evaluated internet of things system according to network topology data of each target terminal device in the to-be-evaluated internet of things system.
For example, the infected network location may include the location of the infected device in the network.
For example, in the case where the security evaluation base data includes security problem data and/or weak password data, the central server may determine the problem type of the internet of things system to be evaluated according to the collected security problem data and/or weak password data of each target terminal device in the internet of things system to be evaluated.
For example, the question types may include more security questions (e.g., the number of terminal devices with security questions exceeds a first proportional threshold, the question type is determined to be more security questions) or more weak passwords (e.g., the number of terminal devices with weak passwords exceeds a second proportional threshold, the question type is determined to be more weak passwords).
It should be noted that, in the embodiment of the present application, considering that the security problem may be associated with a component version or a device model, etc., when the device data includes data such as a device model, a component version, etc., and the security problem data includes a security problem associated with the component version or the device model, other terminal devices of the same device model or component version may be checked according to the device model or the component version of the terminal device that reports the security problem data, so as to determine whether similar security problems exist, so that the security problem of the terminal device is avoided, and the security of the internet of things system is further improved when the security problem is not scanned for a specific reason.
In one example, in a case where a device infection rate of the internet of things system to be evaluated is determined, the method may further include:
determining the security protection level of the Internet of things system to be evaluated according to the equipment infection rate of the Internet of things system to be evaluated; the safety protection level of the to-be-evaluated Internet of things system is inversely related to the equipment infection rate of the to-be-evaluated Internet of things system.
For example, the security protection capability of the internet of things system to be evaluated can be determined according to the device infection rate of the internet of things system to be evaluated.
For example, the security capabilities may include a system security level determined from the device infection rate, e.g., the higher the device infection rate, the lower the security level; alternatively, the security capability may be divided into a plurality of different levels according to the different intervals in which the device infection rate is located.
In one example, in a case where an infected network location of the internet of things system under evaluation is determined, the method may further include:
and determining risk points of the to-be-evaluated Internet of things system according to the infection network position of the to-be-evaluated Internet of things system.
Illustratively, the security protection capability of the internet of things system to be evaluated may further include a location (may be referred to as a risk point) with weak protection capability in the network determined according to the location of the infected network and the network topology data.
Referring to fig. 2, a flow chart of an internet of things security assessment method based on virtual threat distribution provided by an embodiment of the present application is shown, where the method may be applied to a terminal device, and as shown in fig. 2, the internet of things security assessment method based on virtual threat distribution may include the following steps:
step S200, receiving a target command; the method comprises the steps that a central server scans a sub-network segment to be scanned, and the target command is injected into terminal equipment under the condition that the terminal equipment is determined to be target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by a central server according to the acquired IP address network segment of the Internet of things to be evaluated; or, the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is the terminal equipment of the Internet of things which is opened and assigned with a public service port and/or has a specified available security problem; the public service port is designated as the public service port which can be accessed without authorization, and the available security problem is designated as the security problem which can acquire the execution authority of the terminal command.
In the embodiment of the present application, the specific implementation of the terminal device receiving the target command may be referred to as related description in the method flow shown in fig. 1.
Step S210, downloading and loading virtual threat software matched with an operating system frame of the equipment according to a target command, and running the virtual threat software to collect security evaluation basic data of the equipment and transmit the security evaluation basic data back to a central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated.
In the embodiment of the application, for the terminal equipment, the target command can be injected into the terminal equipment by using an end-to-end command injection mode.
The target command is used for indicating the terminal equipment to download and load virtual threat software matched with the operating system framework of the terminal equipment.
Illustratively, compared with traditional malicious software, the virtual threat software cuts out the device utilization function of the traditional malicious software (i.e. does not make malicious purpose use of the device, does not make device utilization and resource consumption), and newly adds the route topology detection and data statistics back-pass function. The virtual threat software simulates the attack on the device and does not cause the actual attack influence.
In one example, for any terminal device, the operating system architecture information of the terminal device may be obtained, and a corresponding target command may be injected into the target terminal device according to the operating system architecture information of the terminal device.
In another example, when the target command is injected, the terminal device may send a virtual threat software download request to the central server (for storing and distributing the virtual threat software) according to the target command, where the download request may carry information about an operating system architecture of the terminal device, and the central server may distribute the virtual threat software matched with the operating system architecture of the terminal device to the terminal device.
For example, the terminal device may obtain an installation package (binary file) of the virtual threat software matched with the operating system frame of the present device based on the target command, and load the virtual threat software based on the installation package.
In the embodiment of the application, in the process of running the virtual threat software in the target terminal equipment, on one hand, the security evaluation basic data of the target terminal equipment can be collected and returned to the central server.
By way of example, the security assessment base data may include, but is not limited to, some or all of device data, network topology data, security problem data, weak password data, and the like.
The device data may include, but is not limited to, some or all of device IP address, MAC (Media Access Control ) address, device name, version, signal, etc.
The network topology data may include connection relationships between devices.
The security issue data may include security issue information present in the scan-determined device.
The weak password data may include information such as a user name and password of the device.
It can be seen that in the method flow shown in fig. 1 or fig. 2, by acquiring the IP address network segment of the system of the internet of things to be evaluated, for any one IP address network segment of the system of the internet of things to be evaluated, generating a sub-network segment to be scanned according to the IP address network segment of the system of the internet of things, scanning the sub-network segment to be scanned, determining a target terminal device in the sub-network segment to be scanned, and further, for any target terminal device, injecting a target command into the target terminal device; under the condition that the terminal equipment receives the target command, downloading and loading virtual threat software matched with an operating system frame of the equipment according to the target command, running the virtual threat software to collect security evaluation basic data of the target terminal equipment and returning the security evaluation basic data to a central server, and performing security evaluation on the system of the Internet of things to be evaluated by the central server according to the collected security evaluation basic data of each target terminal equipment in the system of the Internet of things to be evaluated, thereby realizing security evaluation on the environment of the Internet of things; in addition, through utilizing virtual threat software to realize equipment infection and data collection, the safety assessment of the Internet of things environment is realized under the condition of no damage to the Internet of things environment.
In some embodiments, in a process of the virtual threat software running in the terminal device, the method for evaluating security of the internet of things based on virtual threat distribution may further include:
determining an address to be scanned associated with the terminal equipment, determining a new target terminal by scanning the address to be scanned, and injecting a target command into the new target terminal equipment.
For example, in order to increase the diffusion speed of the virtual threat software in the internet of things system to be evaluated, the target terminal device running the virtual threat software may scan to find a new target terminal and propagate the virtual threat software to the new target terminal in a command injection manner, in addition to collecting and uploading the security evaluation basic data in the above manner.
Accordingly, in the process of running the virtual threat software in the terminal device, the terminal device may also determine an address to be scanned associated with the device, determine a new target terminal according to the manner described in the above embodiment by scanning the address to be scanned, and inject a target command into the determined new target terminal device, so that the new target terminal device downloads and runs the virtual threat software according to the manner described in the above embodiment.
It can be seen that, in the embodiment of the present application, in addition to the implementation of the diffusion of the virtual threat software by injecting the target command into the target terminal device determined by scanning through the central server, the terminal device downloaded and running the virtual threat software may determine a new target terminal by scanning, and perform the injection of the target command, thereby improving the diffusion speed of the virtual threat software in the system of the internet of things to be evaluated, further improving the collection speed of the security evaluation basic data, and improving the security evaluation efficiency of the internet of things.
In addition, considering that a part of terminal devices in the internet of things system may need to be accessed through an intranet, for the part of terminal devices, a central server may not be capable of directly injecting a target command, but by means of the target command injection mode between the terminal devices, the central server may perform target command injection on target terminal devices in the intranet (usually, the terminal devices can access both an external network and an intranet) through the edge terminal devices of the intranet, and perform target command injection on the target terminal devices of the intranet under the condition that the edge terminal devices download and operate virtual threat software, thereby realizing infection on a private intranet and improving the comprehensiveness of security assessment.
In one example, the address to be scanned associated with the terminal device may include: and determining other IP addresses which are in the same subnet with the local IP address of the terminal equipment according to the local IP address of the terminal equipment and the subnet mask.
For any terminal device, the other IP addresses in the same subnet as the local IP address of the terminal device can be determined as the addresses to be scanned associated with the terminal device according to the local IP address of the terminal device and the subnet mask.
For example, assuming that the local IP address of the terminal device is 192.168.0.100 and the subnet mask is 255.255.255.0, a total of 254 IP addresses may be allocated from 192.168.0.1 to 192.168.0.254 from the local network including the terminal device. In this case, the address to be scanned associated with the terminal device may include 254 IP addresses between 192.168.0.1 and 192.168.0.254 (in the case of scanning, the IP address of the device may not be scanned).
In one example, the address to be scanned associated with the terminal device may include: and determining the IP address in the survival state recorded in the ARP table and/or the routing table of the target terminal equipment according to the ARP table and/or the routing table of the terminal equipment.
Illustratively, considering that the ARP (Address Resolution Protocol ) table and the routing table of the terminal device each record an IP address that is interactive with the terminal device and is determined to be in a surviving state for a certain period of time, the IP address that is associated with the terminal device and is in a surviving state can be efficiently determined according to the ARP table and/or the routing table.
Accordingly, in order to improve address scanning efficiency, the IP address in the surviving state recorded in the ARP table and/or the routing table of the terminal device may be determined as the address to be scanned associated with the terminal device according to the ARP table and/or the routing table of the terminal device.
It should be noted that, since the surviving states of the IP addresses recorded in the ARP table and the routing table may have a certain refresh period, that is, there may be a certain difference between the surviving states of the ARP table and the actual IP addresses, for example, an IP address in a surviving state is not in a surviving state when the IP address is down before the next refreshing, but the states recorded in the ARP table and/or the routing table are in a surviving state.
In an example, the internet of things security assessment method based on virtual threat distribution provided by the embodiment of the application may further include:
Receiving IP address information of infected terminal equipment issued by a central server; the method comprises the steps that the IP address information of the infected terminal equipment is obtained by statistics of the IP address information of the terminal equipment according to the reported security evaluation basic data by a center server; the infected terminal equipment is the terminal equipment reporting the security evaluation basic data;
accordingly, determining the address to be scanned associated with the terminal device comprises: an address to be scanned associated with the terminal device and not belonging to the infected terminal device is determined.
In one example, a scan address associated with a terminal device includes: other IP addresses which are in the same subnet as the IP address of the terminal equipment and do not belong to the IP address of the infected terminal equipment; or, the ARP table and/or the routing table of the terminal device record other IP addresses that are in a surviving state and that do not belong to the IP address of the infected terminal device.
For example, in order to avoid repeated distribution of the virtual threat software, IP address information of an infected terminal device (i.e., a terminal device having undergone target command injection) may be maintained during the process of performing virtual threat software distribution, and the IP address information of the infected terminal device may be also transmitted to the determined target terminal device.
For any target terminal device, the central server may determine that the target terminal device is an infected terminal device if receiving the security evaluation base data reported by the target terminal device, add the IP address of the target terminal device to the IP address information of the infected terminal device (the IP address information of the infected terminal device includes the IP address of the target terminal device, and the IP addresses of other target terminal devices determined to be infected terminal devices before the target terminal device reports the security evaluation base data), and issue the updated IP address information of the infected terminal device to the target terminal device, so that the target terminal device may determine the IP address information of the current infected terminal device.
For example, assuming that the central server receives the security evaluation base data reported by the terminal device b, the terminal device b may be determined to be an infected terminal device, and the IP address of the terminal device b (assumed to be IP b) is added to the IP address information of the infected terminal device, to obtain updated IP address information of the infected terminal device.
The IP address information of the infected terminal device after being updated in the above manner includes IP a1, IP a2, IP a3 and IP b, provided that the IP address of the infected terminal device includes IP a1, IP a2 and IP a3 (provided that the terminal devices a1, a2 and a3 are respectively corresponding) before the central server receives the security evaluation base data reported by the terminal device b. The central server may issue the updated IP address information of the infected terminal device to the terminal device b. In the process of scanning and determining the new target terminal, the terminal equipment b cannot determine one or more of the terminal equipment a1, a2 and a3 as the new target terminal equipment even if the terminal equipment a1, a2 and a3 are scanned, so that repeated infection to the terminal equipment a1, a2 and a3 is avoided.
Assuming that the terminal device b determines a new target terminal device (assuming that the terminal device c has an IP address of IP c) through scanning, the terminal device b may inject a target command into the terminal device c, so that the terminal device c downloads and runs virtual threat software, and collects security assessment basic data to report to the central server. And under the condition that the central server receives the security evaluation basic data reported by the terminal equipment c, updating the IP address information of the infected terminal equipment again, wherein the updated IP address information of the infected terminal equipment comprises IP a1, IP a2, IP a3, IP b and IP c. The central server transmits the updated IP address information of the infected terminal equipment to the terminal equipment c.
Accordingly, for a terminal device that receives a target command and downloads virtual threat software, the virtual threat software runs on the terminal device, and in the process of determining a new target terminal through scanning, an infected terminal device (determined according to the IP address information of the infected terminal device) can be filtered out from the scanned new target terminal device.
Based on this, the scan address associated with the terminal device may include: other IP addresses which are in the same subnet as the IP address of the terminal equipment and do not belong to the IP address of the infected terminal equipment; or, the ARP table and/or the routing table of the terminal device record other IP addresses that are in a surviving state and that do not belong to the IP address of the infected terminal device.
In one example, the terminal device has an external network communication authority and receives the target command from the sending end device of the target command through the external network, where the determining the address to be scanned associated with the terminal device may include:
and under the condition that the terminal equipment also has the intranet access authority, determining the intranet IP address with the access authority of the terminal equipment as the address to be scanned associated with the terminal equipment.
For example, in order to implement infection for a private intranet, for a terminal device (i.e., a terminal device that can communicate with an external network and access the intranet) that has an external network communication right and an internal network access right, under the condition that virtual threat software is downloaded and run in the above manner, an internal network IP address that has an access right of itself can be further scanned, so as to determine a target terminal device in the intranet.
In one example, the terminal device receives the target command from the sending end device of the target command through the intranet, and determines the intranet IP address of the terminal device with the access right as the address to be scanned associated with the terminal device under the condition that the terminal device has the access right of the intranet.
In some embodiments, the new target terminal device performs stateless scan determination on the address to be scanned by using a preset scan method;
The preset scanning method comprises the following steps: sequential scanning methods, split and sequential scanning methods, limited random scanning methods, or split and random scanning methods.
For example, considering that only the internet of things terminal device corresponding to the IP address in the surviving state can be scanned out of the open designated public service port and/or the designated available security problem exists, in order to improve the device scanning efficiency, under the condition that the address to be scanned associated with the target terminal device is determined, the preset scanning method may be utilized to perform stateless scanning on the address to be scanned, and determine the new target terminal device.
By way of example, stateless scanning of the address to be scanned means that no viability detection is required before the address to be scanned is scanned for whether a specified public service port is open and/or whether there is a specified security problem available.
Exemplary, preset scanning methods may include, but are not limited to: sequential scanning methods, split and sequential scanning methods, limited random scanning methods, or split and random scanning methods.
The sequential scanning method is to scan each address to be scanned sequentially according to a certain sequence.
The dividing and sequential scanning method is to divide the address to be scanned into a plurality of parts and scan the address to be scanned of each part sequentially according to a certain sequence.
The restricted random scanning method refers to a random scanning method in which a specified restriction condition (such as a network segment restriction) is added.
The dividing and random scanning method is to divide the address to be scanned into a plurality of parts and concurrently randomly scan the address to be scanned of each part.
In some embodiments, after receiving the target command, the method for evaluating security of internet of things based on virtual threat distribution provided by the embodiment of the application may further include:
under the condition that a virtual threat software destroying instruction issued by a central server is received, virtual threat software on the device is destroyed; the virtual threat software destroying instruction is sent by the center server under the condition that the center server receives the security evaluation basic data reported by the terminal equipment.
For example, for the case that the terminal device does not participate in the virtual threat software diffusion, for any target terminal device, the central server may issue a virtual threat software destruction instruction to the target terminal device under the condition that the central server receives the security evaluation basic data reported by the target terminal device, so as to instruct the target terminal device to delete the virtual threat software on the device, thereby avoiding that the virtual threat software always occupies the storage space of the target terminal device.
In other embodiments, after receiving the target command, the method for evaluating security of internet of things based on virtual threat distribution according to the embodiment of the present application may further include:
and under the condition that the sending end equipment of the target command is other terminal equipment, sending a virtual threat software destroying instruction to the sending end equipment of the target command, so that the virtual threat software running on the equipment by the sending end equipment of the target command completes the collection and the return of the security evaluation basic data, and under the condition that the determined new target terminal equipment is injected with the target command, destroying the virtual threat software on the equipment.
For example, for a scenario that the terminal device participates in the virtual threat software diffusion, the terminal device may send a virtual threat software destruction instruction to a sending end device of the target command when receiving the target command sent by other terminal devices.
For the terminal equipment receiving the virtual threat software destroying instruction, under the condition that the collection and the return of the security evaluation basic data are completed and the injection of the target command to the determined new target terminal equipment is completed, the virtual threat software on the terminal equipment is destroyed, and the virtual threat software is prevented from occupying the storage space of the terminal equipment all the time.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
In the embodiment, a malicious threat simulation distribution and Internet of things security protection capability assessment system for end-to-end command injection propagation and limited range stateless scanning is provided. The device utilization function of the traditional malicious software is cut off, and the route topology detection and data statistics return function is newly added. The method can spread virtual threat to the Internet of things equipment (the edge terminal equipment can access the external network and the internal network and can further infect the internal network terminal equipment by infecting the edge terminal equipment) with the private IP address (the IP address of the local area network) distributed in the internal network, and solves the problem of low-efficiency spread of the traditional method in infrastructure construction. Meanwhile, a stateless scanning method with a limited range is applied to a malicious software simulation tool, so that the problem of wide range of IP addresses to be scanned is effectively solved, and quick propagation coverage in a target infrastructure is realized. And finally, counting the virtual threat infection rate of the target Internet of things system through topology detection and data feedback, specifically infecting the topology of the area, and the infection reasons (high-risk security problems, weak passwords and the like), thereby realizing the security evaluation effect of the Internet of things system.
For example, the internet of things security capability assessment system may include a central server and virtual threat software. The central server can comprise a data receiving and security evaluation module and a virtual threat software storage and distribution module; the virtual threat software can comprise an end-to-end command injection propagation module, a limited range stateless scanning module and a data collection statistics and feedback module, wherein the specific construction method of each module is as follows:
1. end-to-end command injection propagation module
The end-to-end command injection and propagation module injects a file transmission command (i.e., the target command) into the vulnerable internet of things device by utilizing a high-risk security problem (the specified available security problem) or a weak password (corresponding to the specified public service port), and then the attacked device executes the injection command to download a virtual threat software binary file (i.e., a virtual threat software installation package) from the central server.
Illustratively, an attacked device may download a virtual threat software installation package matching the operating system architecture of the device from a server using a network request command (e.g., a get command under the linux system) that is self-contained in the system.
Wherein, the internal network device can freely access the device (such as a server) on the father network (local area network), thereby realizing the propagation of the virtual threat software in the internal network.
Exemplary, the virtual threat software propagation steps are as follows:
step 1.1, whether a target terminal device in the internet of things opens a designated public service port (e.g. Telnet (a remote terminal protocol) port, ftp (File Transfer Protocol ) port, ssh (Secure Shell) port, etc.).
Step 1.2, scanning whether a target terminal device in the internet of things has a specified available security problem (such as a command injection security problem, a code execution security problem, etc.).
It should be noted that, there is no necessary timing relationship between the step 1.1 and the step 1.2, the step 1.1 may be executed first, and then the step 1.2 may be executed; step 1.2 may be performed first, and then step 1.1 may be performed. Step 1.1 and step 1.2 may also be performed concurrently.
Step 1.3, performing weak password blasting on an appointed public service port opened by the equipment, or utilizing an appointed available security problem of the equipment to obtain equipment command calling authority (also representing that the equipment can be attacked and infected by malicious software).
Step 1.4: obtaining equipment information (such as an operating system framework), determining a virtual threat software installation package conforming to the operating system framework of the infected equipment, calling authority through the own command of the equipment, injecting the command, and downloading the virtual threat software installation package.
And step 1.5, loading virtual threat software. The virtual threat software loader responds to requests from the device that downloaded the virtual threat software installation package and loads the virtual threat software.
2. Limited range stateless scanning module
The scanning method of the limited-range stateless scanning module is to scan a range of IP addresses that can be allocated to devices connected to the local network and not to scan other IP addresses outside the range of IP addresses that can be allocated to devices connected to the local network.
In one example, for any terminal device running virtual threat software, the limited range scanning method may use the local IP address and subnet mask of the terminal device to obtain the allocable range from the local network containing the terminal device.
For example, assuming that the local IP address of the terminal device is 192.168.0.100 and the subnet mask is 255.255.255.0, a total of 254 IP addresses can be allocated from 192.168.0.1 to 192.168.0.254 from the local network including the terminal device. In this case, 254 IP addresses between 192.168.0.1 and 192.168.0.254 can be scanned.
Unlike traditional malware scanning for all but a list of specified IP addresses (the IP addresses in the list of IP addresses do not need to be scanned), the range of IP addresses that virtual threat software scans is limited. Since scannable IP addresses are not many, the limited range scanning method has a faster propagation speed than the conventional random scanning method.
In order to verify a security solution that can detect and prevent a fast-propagating threat within the internet of things infrastructure, it is necessary to fast propagate malware within the internet of things infrastructure. Thus, the limited range stateless scanning method performs stateless scanning without waiting for a timeout before moving to a new IP. The specific scanning strategy is optional, comprising four types of specific scanning strategies, and the user can make autonomous selection to spread malicious software faster: sequential scanning methods, segmentation and sequential scanning methods, limiting random scanning methods, segmentation and random scanning methods.
3. Data collection statistics and feedback module
Device information, security problem information, weak password information, network topology information and the like of the infected device are collected and transmitted back to the server as basic data of security assessment.
4. Security assessment module
Based on the feedback data, calculating the equipment infection rate, the specific infection network position, the problem type and the like of the current Internet of things system, evaluating the safety protection capability of the current Internet of things in detail, and outputting the problem type.
In this embodiment, the specific implementation flow of the security assessment of the internet of things is as follows:
step 1, a user inputs an IP address (which can comprise one or more IP address network segments) of an Internet of things system to be evaluated to an evaluation system;
step 2, the system generates target equipment to be scanned (namely an Internet of things terminal in a sub-network segment to be scanned) with controllable range aiming at a target, and then performs appointed available security problem and/or appointed public service port scanning aiming at the target equipment to be scanned;
step 3, aiming at the Internet of things terminal (namely target terminal equipment) with a specified available security problem or an open specified public service port, carrying out end-to-end command injection, namely loading virtual threat distribution software to infect equipment based on the acquired authority injection command;
step 4, based on the data acquisition and return module, collecting and returning equipment data, network topology data, security problem data, weak password data and the like to a central server;
step 5, for the terminal equipment running the virtual threat software, acquiring a local IP address and a subnet mask of the equipment, generating a further equipment list with limited scope to be scanned, scanning and determining new target terminal equipment in the equipment list to be scanned, and so on until all equipment of the Internet of things system are scanned;
And 6, calculating the equipment infection rate, the specific infection network position, the problem type (such as more weak passwords and more safety problems) and the like of the current Internet of things system based on the returned data by the system platform, and evaluating the safety protection capability of the current Internet of things in detail and outputting the problem type.
The method provided by the application is described above. The device provided by the application is described below:
referring to fig. 3, a schematic structural diagram of an internet of things security assessment device based on virtual threat distribution according to an embodiment of the present application is provided, where the internet of things security assessment device based on virtual threat distribution may be deployed at a central server, as shown in fig. 3, the internet of things security assessment device based on virtual threat distribution may include:
an obtaining unit 310, configured to obtain an IP address network segment of the system of the internet of things to be evaluated;
the generating unit 320 is configured to generate, for any one of the network segments of IP addresses of the system of the internet of things to be evaluated, a sub-network segment to be scanned according to the network segment of IP addresses of the system of the internet of things;
a determining unit 330, configured to scan the sub-network segment to be scanned, and determine a target terminal device in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
An injection unit 340, configured to, for any target terminal device, inject a target command into the target terminal device, so that the target terminal device downloads and loads virtual threat software matched with an operating system framework of the device according to the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment through the target terminal equipment and returns the security evaluation basic data to the central server in the process of running in the target terminal equipment;
the evaluation unit 350 is configured to perform security evaluation on the internet of things system to be evaluated according to the collected security evaluation basic data of each target terminal device in the internet of things system to be evaluated.
In some embodiments, the security assessment base data includes: some or all of device data, network topology data, security problem data, weak password data;
the evaluation unit performs security evaluation on the internet of things system to be evaluated according to the collected security evaluation basic data of each target terminal device in the internet of things system to be evaluated, and the evaluation unit comprises:
under the condition that the security evaluation basic data comprises equipment data, determining the equipment infection rate of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal equipment in the to-be-evaluated Internet of things system; wherein the device data includes IP addresses, and the device infection rate includes a ratio of the number of IP addresses of the target terminal device to the total number of IP addresses of the device to be scanned;
And/or the number of the groups of groups,
under the condition that the security evaluation basic data comprises network topology data, determining the infection network position of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system;
and/or the number of the groups of groups,
and under the condition that the security evaluation basic data comprises security problem data and/or weak password data, determining the problem type of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
In some embodiments, the evaluation unit is further configured to determine, when determining the device infection rate of the to-be-evaluated internet of things system, a security protection level of the to-be-evaluated internet of things system according to the device infection rate of the to-be-evaluated internet of things system; the safety protection level of the to-be-evaluated Internet of things system is inversely related to the equipment infection rate of the to-be-evaluated Internet of things system.
In some embodiments, the evaluation unit is further configured to determine, when determining an infection network location of the to-be-evaluated internet of things system, a risk point of the to-be-evaluated internet of things system according to the infection network location of the to-be-evaluated internet of things system.
Referring to fig. 4, a schematic structural diagram of an internet of things security assessment device based on virtual threat distribution according to an embodiment of the present application is provided, where the internet of things security assessment device based on virtual threat distribution may be deployed on a terminal device, as shown in fig. 4, and the internet of things security assessment device based on virtual threat distribution may include:
a receiving unit 410 for receiving a target command; the target command is injected into the terminal equipment under the condition that the central server scans the sub-network segment to be scanned and determines that the terminal equipment is the target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by the central server according to the acquired IP address network segment of the internet of things to be evaluated; or the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is an Internet of things terminal equipment which is opened and assigned with a public service port and/or has a specified available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
A downloading unit 420, configured to download and load virtual threat software matched with an operating system framework of the present device according to the target command;
an operation unit 430, configured to operate the virtual threat software, so as to collect security assessment basic data of the device and return the security assessment basic data to the central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated.
In some embodiments, the running unit is further configured to determine an address to be scanned associated with the terminal device during running of the virtual threat software in the terminal device, determine a new target terminal by scanning the address to be scanned, and inject the target command into the new target terminal device.
In some embodiments, the address to be scanned associated with the terminal device comprises:
according to the IP address of the terminal equipment and the subnet mask, determining other IP addresses which are in the same subnet with the IP address of the terminal equipment;
or alternatively, the first and second heat exchangers may be,
and determining the IP address which is recorded in the ARP table and/or the routing table of the terminal equipment and is in a survival state according to the ARP table and/or the routing table of the terminal equipment.
In some embodiments, the receiving unit 410 is further configured to receive IP address information of the infected terminal device issued by the central server; the central server counts the IP address information of the infected terminal equipment according to the IP address information of the terminal equipment reporting the security evaluation basic data; the infected terminal equipment is terminal equipment reporting the security evaluation basic data;
accordingly, the operation unit determines an address to be scanned associated with the terminal device, including: an address to be scanned associated with the terminal device and not belonging to the infected terminal device is determined.
In some embodiments, the scan address associated with the terminal device comprises: other IP addresses which are in the same subnet as the IP address of the terminal equipment and do not belong to the IP address of the infected terminal equipment; or, other IP addresses which are recorded in the ARP table and/or the routing table of the terminal equipment, are in a survival state and do not belong to the IP addresses of the infected terminal equipment.
In some embodiments, the terminal device has an external network communication authority and receives the target command from a sender device of the target command through the external network, and the running unit determines an address to be scanned associated with the terminal device, including:
And under the condition that the terminal equipment also has the intranet access right, determining the intranet IP address with the access right of the terminal equipment as the address to be scanned associated with the terminal equipment.
In some embodiments, as shown in fig. 5, the internet of things security assessment device based on virtual threat distribution further includes:
the destroying unit 440 is configured to destroy the virtual threat software on the device when the receiving unit 410 receives a virtual threat software destroying instruction issued by the central server; the virtual threat software destroying instruction is sent by the center server under the condition that the center server receives the security evaluation basic data reported by the terminal equipment.
In some embodiments, as shown in fig. 6, the internet of things security assessment device based on virtual threat distribution further includes:
and the sending unit 450 is configured to send a virtual threat software destruction instruction to the sending end device of the target command when the sending end device of the target command is another terminal device, so that the virtual threat software running on the sending end device of the target command completes collection and return of the security evaluation basic data, and destroy the virtual threat software on the device when the determined new target terminal device is injected with the target command.
The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and the processor is used for realizing the Internet of things security assessment method based on virtual threat distribution when executing the program stored on the memory.
Fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 701, a memory 702 storing machine-executable instructions. The processor 701 and the memory 702 may communicate via a system bus 703. Also, the processor 701 may perform the internet of things security assessment method based on virtual threat distribution described above by reading and executing machine executable instructions in the memory 702 corresponding to the internet of things security assessment logic based on virtual threat distribution.
The memory 702 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 702 in fig. 7, is also provided, having stored therein machine-executable instructions that when executed by a processor implement the internet of things security assessment method described above based on virtual threat distribution. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The embodiment of the application also provides a computer program product, which stores a computer program and causes a processor to execute the internet of things security assessment method based on virtual threat distribution.
Referring to fig. 8, a schematic structural diagram of an internet of things security assessment system based on virtual threat distribution according to an embodiment of the present application is shown in fig. 8, where the internet of things security assessment system based on virtual threat distribution may include: a center server and a terminal device; wherein:
the center server is used for acquiring an IP address network segment of the Internet of things system to be evaluated;
the center server is further used for generating a sub-network segment to be scanned according to the IP address network segment of any to-be-evaluated Internet of things system;
The central server is further configured to scan the subnet segment to be scanned, and determine a target terminal device in the subnet segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is an unauthorized accessible public service port, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
the central server is further used for injecting a target command to any target terminal device;
the terminal equipment is used for downloading and loading virtual threat software matched with the operating system framework of the equipment under the condition of receiving the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment and returns the data to the central server in the process of running in the target terminal equipment, determines an address to be scanned associated with the target terminal equipment, determines new target terminal equipment by scanning the address to be scanned, and injects the target command into the new target terminal equipment;
The center server is further used for carrying out security assessment on the to-be-assessed internet of things system according to the collected security assessment basic data of each target terminal device in the to-be-assessed internet of things system.
In some embodiments, the central server and the terminal device may implement the internet of things security assessment based on virtual threat distribution in the manner described in the above embodiments.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (11)

1. The internet of things security assessment method based on virtual threat distribution is characterized by being applied to a central server, and comprises the following steps:
acquiring an IP address network segment of an Internet of things system to be evaluated;
generating a sub-network segment to be scanned according to the IP address network segment of any Internet of things system to be evaluated;
scanning the sub-network segment to be scanned, and determining target terminal equipment in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
for any target terminal equipment, injecting a target command into the target terminal equipment so that the target terminal equipment downloads and loads virtual threat software matched with an operating system framework of the equipment according to the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment through the target terminal equipment and returns the security evaluation basic data to the central server in the process of running in the target terminal equipment, determines an address to be scanned associated with the target terminal equipment, determines new target terminal equipment by scanning the address to be scanned, and injects the target command into the new target terminal equipment; the virtual threat software cuts off the device utilization function of the traditional malicious software, and newly adds the route topology detection and data statistics back transmission functions;
And carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
2. The method of claim 1, wherein the security assessment base data comprises: some or all of device data, network topology data, security problem data, weak password data;
according to the collected security evaluation basic data of each target terminal device in the internet of things system to be evaluated, performing security evaluation on the internet of things system to be evaluated, including:
under the condition that the security evaluation basic data comprises equipment data, determining the equipment infection rate of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal equipment in the to-be-evaluated Internet of things system; wherein the device data includes IP addresses, and the device infection rate includes a ratio of the number of IP addresses of the target terminal device to the total number of IP addresses of the device to be scanned;
and/or the number of the groups of groups,
under the condition that the security evaluation basic data comprises network topology data, determining the infection network position of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system;
And/or the number of the groups of groups,
under the condition that the security evaluation basic data comprise security problem data and/or weak password data, determining the problem type of the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system;
wherein, in case the device infection rate of the internet of things system to be evaluated is determined, the method further comprises:
determining the security protection level of the to-be-evaluated Internet of things system according to the equipment infection rate of the to-be-evaluated Internet of things system; the safety protection level of the to-be-evaluated Internet of things system is inversely related to the equipment infection rate of the to-be-evaluated Internet of things system;
and/or the number of the groups of groups,
in the case where the location of the infected network of the internet of things system under evaluation is determined, the method further comprises:
and determining risk points of the to-be-evaluated Internet of things system according to the infection network position of the to-be-evaluated Internet of things system.
3. The internet of things security assessment method based on virtual threat distribution is characterized by being applied to terminal equipment, and comprises the following steps:
receiving a target command; the target command is injected into the terminal equipment under the condition that the central server scans the sub-network segment to be scanned and determines that the terminal equipment is the target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by the central server according to the acquired IP address network segment of the internet of things to be evaluated; or the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is an Internet of things terminal equipment which is opened and assigned with a public service port and/or has a specified available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
Downloading and loading virtual threat software matched with an operating system frame of the equipment according to the target command, and running the virtual threat software to collect security evaluation basic data of the equipment and transmit the security evaluation basic data back to a central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated; the virtual threat software cuts off the device utilization function of the traditional malicious software, and newly adds the route topology detection and data statistics back transmission functions;
wherein, in the process that the virtual threat software runs in the terminal device, the method further comprises:
determining an address to be scanned associated with the terminal equipment, determining a new target terminal by scanning the address to be scanned, and injecting the target command into the new target terminal equipment.
4. A method according to claim 3, characterized in that the address to be scanned associated with the terminal device comprises:
according to the IP address of the terminal equipment and the subnet mask, determining other IP addresses which are in the same subnet with the IP address of the terminal equipment;
or alternatively, the first and second heat exchangers may be,
and determining the IP address which is recorded in the ARP table and/or the routing table of the terminal equipment and is in a survival state according to the ARP table and/or the routing table of the terminal equipment.
5. A method according to claim 3, characterized in that the method further comprises:
receiving IP address information of infected terminal equipment issued by a central server; the central server counts the IP address information of the infected terminal equipment according to the IP address information of the terminal equipment reporting the security evaluation basic data; the infected terminal equipment is terminal equipment reporting the security evaluation basic data;
a scan address associated with the terminal device, comprising: other IP addresses which are in the same subnet as the IP address of the terminal equipment and do not belong to the IP address of the infected terminal equipment; or, other IP addresses which are recorded in the ARP table and/or the routing table of the terminal equipment, are in a survival state and do not belong to the IP addresses of the infected terminal equipment.
6. A method according to claim 3, wherein the terminal device has an external network communication authority and receives the target command from a sender device of the target command through an external network, and wherein the determining the address to be scanned associated with the terminal device comprises:
and under the condition that the terminal equipment also has the intranet access right, determining the intranet IP address with the access right of the terminal equipment as the address to be scanned associated with the terminal equipment.
7. The method of claim 3, wherein after receiving the target command, further comprising:
under the condition that a virtual threat software destroying instruction issued by a central server is received, virtual threat software on the device is destroyed; the virtual threat software destruction instruction is sent by the center server under the condition that the center server receives the security evaluation basic data reported by the terminal equipment;
and/or the number of the groups of groups,
and under the condition that the sending end equipment of the target command is other terminal equipment, sending a virtual threat software destroying instruction to the sending end equipment of the target command, so that the virtual threat software running on the equipment by the sending end equipment of the target command completes the collection and the return of the security evaluation basic data, and under the condition that the determined new target terminal equipment is injected with the target command, destroying the virtual threat software on the equipment.
8. An internet of things security assessment device based on virtual threat distribution, characterized in that the device is deployed at a central server, the device comprising:
the acquisition unit is used for acquiring an IP address network segment of the system of the Internet of things to be evaluated;
the generating unit is used for generating a sub-network segment to be scanned according to the IP address network segment of any Internet of things system to be evaluated;
The determining unit is used for scanning the sub-network segment to be scanned and determining target terminal equipment in the sub-network segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
the injection unit is used for injecting a target command to any target terminal device so that the target terminal device downloads and loads virtual threat software matched with an operating system frame of the device according to the target command; the virtual threat software collects security evaluation basic data of the target terminal equipment through the target terminal equipment and returns the security evaluation basic data to the central server in the process of running in the target terminal equipment, determines an address to be scanned associated with the target terminal equipment, determines new target terminal equipment by scanning the address to be scanned, and injects the target command into the new target terminal equipment; the virtual threat software cuts off the device utilization function of the traditional malicious software, and newly adds the route topology detection and data statistics back transmission functions;
The evaluation unit is used for carrying out security evaluation on the to-be-evaluated Internet of things system according to the collected security evaluation basic data of each target terminal device in the to-be-evaluated Internet of things system.
9. The utility model provides a thing networking security assessment device based on virtual threat distribution which characterized in that is disposed in terminal equipment, said device includes:
a receiving unit configured to receive a target command; the target command is injected into the terminal equipment under the condition that the central server scans the sub-network segment to be scanned and determines that the terminal equipment is the target terminal equipment in the sub-network segment to be scanned; the sub-network segment to be scanned is generated by the central server according to the acquired IP address network segment of the internet of things to be evaluated; or the target command is injected into the terminal equipment under the condition that the target terminal equipment scans the address to be scanned associated with the target terminal equipment and determines that the terminal equipment is new target terminal equipment; the target terminal equipment is an Internet of things terminal equipment which is opened and assigned with a public service port and/or has a specified available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
The downloading unit is used for downloading and loading virtual threat software matched with the operating system framework of the equipment according to the target command; the virtual threat software cuts off the device utilization function of the traditional malicious software, and newly adds the route topology detection and data statistics back transmission functions;
the operation unit is used for operating the virtual threat software to collect the security evaluation basic data of the terminal equipment and transmit the data back to the central server; the security evaluation basic data are used for the central server to perform security evaluation on the internet of things system to be evaluated;
the running unit is further configured to determine an address to be scanned associated with the terminal device during running of the virtual threat software in the terminal device, determine a new target terminal by scanning the address to be scanned, and inject the target command into the new target terminal device.
10. An electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
a processor configured to implement the method of any one of claims 1-2 or 3-7 when executing a program stored on a memory.
11. The utility model provides an thing networking security evaluation system based on virtual threat distribution which characterized in that includes: a center server and a terminal device; wherein:
the center server is used for acquiring an IP address network segment of the Internet of things system to be evaluated;
the center server is further used for generating a sub-network segment to be scanned according to the IP address network segment of any to-be-evaluated Internet of things system;
the central server is further configured to scan the subnet segment to be scanned, and determine a target terminal device in the subnet segment to be scanned; the target terminal equipment is the terminal equipment of the Internet of things, which is opened and assigned with a public service port and/or has a specified and available security problem; the appointed public service port is a public service port which can be accessed without authorization, and the appointed available security problem is a security problem capable of acquiring the execution authority of the terminal command;
the central server is further used for injecting a target command to any target terminal device;
the terminal equipment is used for downloading and loading virtual threat software matched with an operating system framework of the equipment under the condition of receiving a target command, running the virtual threat software to collect security evaluation basic data of the equipment and transmit the security evaluation basic data back to the central server, determining an address to be scanned associated with the target terminal equipment, determining new target terminal equipment by scanning the address to be scanned, and injecting the target command into the new target terminal equipment; the virtual threat software cuts off the device utilization function of the traditional malicious software, and newly adds the route topology detection and data statistics back transmission functions;
The center server is further used for carrying out security assessment on the to-be-assessed internet of things system according to the collected security assessment basic data of each target terminal device in the to-be-assessed internet of things system.
CN202310823996.5A 2023-07-05 2023-07-05 Internet of Things security assessment method, device and system based on virtual threat distribution Active CN116545780B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310823996.5A CN116545780B (en) 2023-07-05 2023-07-05 Internet of Things security assessment method, device and system based on virtual threat distribution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310823996.5A CN116545780B (en) 2023-07-05 2023-07-05 Internet of Things security assessment method, device and system based on virtual threat distribution

Publications (2)

Publication Number Publication Date
CN116545780A CN116545780A (en) 2023-08-04
CN116545780B true CN116545780B (en) 2023-09-19

Family

ID=87458256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310823996.5A Active CN116545780B (en) 2023-07-05 2023-07-05 Internet of Things security assessment method, device and system based on virtual threat distribution

Country Status (1)

Country Link
CN (1) CN116545780B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101894230A (en) * 2010-07-14 2010-11-24 国网电力科学研究院 Static and dynamic analysis technology-based host system security evaluation method
CN110505116A (en) * 2019-07-30 2019-11-26 国网陕西省电力公司 Power information acquisition system and penetration test method, device, readable storage medium storing program for executing
CN112437100A (en) * 2021-01-28 2021-03-02 腾讯科技(深圳)有限公司 Vulnerability scanning method and related equipment
CN114666104A (en) * 2022-03-09 2022-06-24 国能信息技术有限公司 Penetration testing method, system, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10826928B2 (en) * 2015-07-10 2020-11-03 Reliaquest Holdings, Llc System and method for simulating network security threats and assessing network security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101894230A (en) * 2010-07-14 2010-11-24 国网电力科学研究院 Static and dynamic analysis technology-based host system security evaluation method
CN110505116A (en) * 2019-07-30 2019-11-26 国网陕西省电力公司 Power information acquisition system and penetration test method, device, readable storage medium storing program for executing
CN112437100A (en) * 2021-01-28 2021-03-02 腾讯科技(深圳)有限公司 Vulnerability scanning method and related equipment
CN114666104A (en) * 2022-03-09 2022-06-24 国能信息技术有限公司 Penetration testing method, system, computer equipment and storage medium

Also Published As

Publication number Publication date
CN116545780A (en) 2023-08-04

Similar Documents

Publication Publication Date Title
Sengupta et al. A survey of moving target defenses for network security
US12058148B2 (en) Distributed threat sensor analysis and correlation
Baecher et al. The nepenthes platform: An efficient approach to collect malware
Zhuang et al. Investigating the application of moving target defenses to network security
US20160234236A1 (en) Network infrastructure obfuscation
Burroughs et al. Analysis of distributed intrusion detection systems using Bayesian methods
US11489853B2 (en) Distributed threat sensor data aggregation and data export
AU2017200969A1 (en) Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness
CN104169937A (en) Opportunistic system scanning
Shi et al. Chaos: an SDN‐based moving target defense system
Zhao et al. An SDN‐based fingerprint hopping method to prevent fingerprinting attacks
KR102324361B1 (en) Apparatus and method for detecting malicious devices based on a swarm intelligence
US12041094B2 (en) Threat sensor deployment and management
Almohri et al. Predictability of IP address allocations for cloud computing platforms
Wang et al. Analysis of Peer-to-Peer botnet attacks and defenses
Cao et al. Learning state machines to monitor and detect anomalies on a kubernetes cluster
Tripathi et al. Paradigms for mobile agent based active monitoring of network systems
Wang et al. What you see predicts what you get—lightweight agent‐based malware detection
CN108737421B (en) Method, system, device and storage medium for discovering potential threats in network
Mvah et al. GaTeBaSep: game theory-based security protocol against ARP spoofing attacks in software-defined networks
CN116545780B (en) Internet of Things security assessment method, device and system based on virtual threat distribution
RU2705773C1 (en) Method of protecting an information network from intrusions
CN112398857A (en) Firewall testing method and device, computer equipment and storage medium
Humphries et al. Secure mobile agents for network vulnerability scanning
Prasad et al. IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant