CN117675173A - System and method for providing security for internet of things devices - Google Patents
System and method for providing security for internet of things devices Download PDFInfo
- Publication number
- CN117675173A CN117675173A CN202311031042.7A CN202311031042A CN117675173A CN 117675173 A CN117675173 A CN 117675173A CN 202311031042 A CN202311031042 A CN 202311031042A CN 117675173 A CN117675173 A CN 117675173A
- Authority
- CN
- China
- Prior art keywords
- security
- data
- interceptor
- category
- devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004458 analytical method Methods 0.000 claims abstract description 48
- 230000003993 interaction Effects 0.000 claims abstract description 31
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000012546 transfer Methods 0.000 claims description 9
- 238000009434 installation Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 description 10
- 230000002155 anti-virotic effect Effects 0.000 description 8
- 244000062793 Sorghum vulgare Species 0.000 description 7
- 235000019713 millet Nutrition 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 235000019577 caloric intake Nutrition 0.000 description 1
- 230000000747 cardiac effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 229940004975 interceptor Drugs 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 229920000747 poly(lactic acid) Polymers 0.000 description 1
- 230000001012 protector Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Abstract
Systems and methods for providing security for internet of things (IoT) devices are disclosed. An exemplary method includes: information about the interaction of the device with at least one of the following is obtained by means of an interceptor located on at least one gateway or the device: one or more other devices, services, and servers; by means of an analysis tool located on the at least one gateway: identifying the security component to be installed on the device by determining at least one category of the device and at least one category of a user of the device based on the received information about the interaction of the device with a security service, receiving data from the security service, and identifying the security component to be installed on the device based on the data received from the security service, the at least one category of the device, and the at least one category of the user of the device; and installing the security component identified by the analysis tool on the device through the interceptor.
Description
Cross Reference to Related Applications
The present application claims priority from russia patent application No.2022123909 filed at 9/8 2022, the entire contents of which are incorporated herein by reference.
Technical Field
The present invention relates generally to the field of information security, and more particularly, to a system and method for providing security for internet of things (Internet of Things, ioT) devices.
Background
More and more electronic devices, such as computers, smart phones and home appliances, can communicate over Wi-Fi or bluetooth networks and connect to the internet. These devices are often referred to as smart devices or internet of things (IoT) devices (these terms will be used interchangeably hereinafter). Many IoT devices form a "smart home" when they connect to a home Wi-Fi network. Integrating devices into smart homes allows users to control the devices from one point, check the status of the devices and their respective functions, and adjust the devices based on the user's personal needs.
Not surprisingly, as the number of networking-capable devices increases, the number of attempts to use such devices maliciously begins to increase. Currently, one significant issue is the spread of malware that infects IoT devices. In general, ioT devices typically do not have a high-performance computing platform. Instead, these devices are typically based on the ARM architecture for small platforms. Thus, these IoT devices run a small Operating System (OS) or simple bootloader for accessing limited resources. Thus, it is impractical, sometimes even impossible, to use any security policy or anti-virus application on such devices.
Furthermore, ioT devices may generate a large amount of traffic used by the creator of the botnet. One example is a "Hide 'N' Seek" botnet, which uses peer-to-peer (P2P) communication as its infrastructure, which makes it more difficult to detect.
Notably, the widespread use of IoT devices may be accompanied by invading people's privacy. In one aspect, a person may trust many devices to monitor data that may be directly or indirectly related to his personal information. The personal information may include one or more of the following: pulse rate, calorie consumption (e.g., monitored by a "smart" fitness bracelet), call frequency (e.g., monitored by a "smart" watch), indoor temperature and humidity (e.g., monitored by a "smart" appliance such as a thermometer, hygrometer with feedback), and the like. While the level and quality of service is directly dependent on the use of information from such devices, not all people are willing to allow all or at least part of the personal information to be transferred to the internet.
One of the most recently growing concerns is another type of security problem related to the functionality of smart devices within the smart home framework. For example, even if settings allow a user to raise the temperature, in warm seasons, it may be unacceptable to raise the air temperature above 23-25 degrees celsius.
Furthermore, an intruder may take advantage of the security problem, for example, by disabling multiple sensors and/or changing settings. These problems can be catastrophic if vulnerabilities are exploited. For example, for industrial IoT (IIoT) applications, IIoT includes a multi-stage system including sensors and controllers mounted on nodes and components of an industrial facility, means for transmitting collected data, means for visualizing, and means for analyzing the collected data. If one of the nodes in the multi-level system is compromised, it is likely that it will not only refuse to provide service to one device or group of devices in the home, but to critical infrastructure throughout the city. Operational changes or malfunctions of critical infrastructure throughout the city may have catastrophic consequences. For example, the operation of an urban traffic management system or urban cameras may be affected by the actions of intruders.
Thus, there is a need for a method and system that improves security of IoT devices in an optimal manner without requiring a complete operating system and computing platform.
Disclosure of Invention
Aspects of the present invention relate to improving security of IoT devices, and more particularly, to systems and methods for providing security for network devices by installing security components (e.g., by installing security components on IoT devices in a network).
In one exemplary aspect, a method for providing security for a network device is provided, the method comprising: information about the interaction of the device with at least one of the following is obtained by means of an interceptor located on at least one gateway or the device: one or more other devices, services, and servers; by means of an analysis tool located on the at least one gateway: receiving data from at least one security service by determining at least one category of the device and at least one category of a user of the device based on information received from the interceptor regarding the interactions of the device with the at least one security service, the data comprising: data about the device, data about a cyber threat that depends on at least one category of the device and at least one category of a user of the device, and data describing a security component, wherein the security component identifies the security component to be installed on the device based on the at least one type of cyber threat and based on the data received from the at least one security service, the at least one category of the device, and the at least one category of the user of the device; and installing the security component identified by the analysis tool on the device through the interceptor.
In one aspect, the interceptor obtains information about the interactions of the devices by performing at least one of: intercepting Domain Name Service (DNS)/hypertext transfer protocol (HTTP)/Hypertext Transfer Protocol Security (HTTPs) requests from a plurality of devices; extracting domain and Uniform Resource Locator (URL) data from the intercepted request; intercepting incoming traffic to a plurality of devices on a predetermined set of transmission control protocol/user datagram protocol (TCP/UDP) ports; and checking whether the device has an open TCP/UDP port providing remote access to the device.
In one aspect, the data about the device includes at least one of: a description of the device, firmware of the device, and a weak password of the device.
In one aspect, the data regarding network threats depending on at least one category of the device and at least one category of a user of the device comprises at least one of: domain and Uniform Resource Locator (URL) used by the malicious device application, data about the open telecommunications and network/secure shell (telnet/SSH) ports of the device, and data for detecting the malicious device application when it is invoked.
In one aspect, the device includes the security component or the interceptor according to a description of the device.
In one aspect, the security service assembles the security component.
In one aspect, the method further comprises: installing an interceptor on the appliance through the interceptor on the at least one gateway when the interceptor is located on the at least one gateway, wherein network security is provided for the appliance.
According to one aspect of the present invention, there is provided a network device security system comprising at least one gateway comprising at least one hardware processor and at least one memory, the gateway comprising an analysis tool and an interceptor, the gateway being in communication with at least one device and at least one security service, wherein the interceptor performs: obtaining information about interactions of the device with at least one of: one or more other devices, services, and servers; and installing a security component on the device that is identified by the analysis tool; wherein the analysis tool performs: determining at least one category of the device and at least one category of a user of the device by interacting with the at least one security service based on information obtained from the interceptor about the interactions of the device, interacting with the at least one security service to receive data from the at least one security service, and identifying the security component for installation on the device based on the data received from the security service, the determined at least one category of the device, and the at least one category of the user of the device; and wherein the at least one security service provides data to the analysis tool, wherein the data comprises: data about the device, data about a cyber threat depending on at least one category of the device and at least one category of a user of the device, and data describing the security component, wherein the security component is based on at least one type of cyber threat.
In one exemplary aspect, a non-transitory computer-readable medium is provided having stored thereon a set of instructions for providing security for a network device, wherein the set of instructions includes instructions for: information about the interaction of the device with at least one of the following is obtained by means of an interceptor located on at least one gateway or the device: one or more other devices, services, and servers; by means of an analysis tool located on the at least one gateway: receiving data from at least one security service by determining at least one category of the device and at least one category of a user of the device based on information received from the interceptor regarding the interactions of the device with the at least one security service, the data comprising: data about the device, data about a cyber threat that depends on at least one category of the device and at least one category of a user of the device, and data describing a security component, wherein the security component identifies the security component to be installed on the device based on the at least one type of cyber threat and based on the data received from the at least one security service, the at least one category of the device, and the at least one category of the user of the device; and installing the security component identified by the analysis tool on the device through the interceptor.
The present methods and systems for providing security for network devices address limitations of existing ways of providing security for IoT devices. Thus, the method of the present invention reduces the risk of personal information that IoT devices may obtain.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more exemplary aspects of the invention and, together with the description, serve to explain the principles and implementations of these exemplary aspects.
Fig. 1 illustrates a block diagram of an exemplary IoT infrastructure (ecosystem) in accordance with aspects of the invention.
Fig. 2 illustrates a block diagram of an exemplary system for providing security for network devices (e.g., ioT devices) by installing security components in accordance with aspects of the subject innovation.
Fig. 3 illustrates a method for providing security for a network device (e.g., ioT device) by installing security components in accordance with aspects of the subject innovation.
FIG. 4 presents an example of a general-purpose computer system upon which aspects of the present invention may be implemented.
Detailed Description
Exemplary aspects are described herein in the context of systems, methods, and computer programs for providing security for network devices (e.g., ioT devices) by installing security components in accordance with aspects of the present invention. Those of ordinary skill in the art will realize that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will readily occur to those skilled in the art upon review of the present disclosure. Reference will now be made in detail to implementations of example aspects as illustrated in the accompanying drawings. The same reference indicators will be used throughout the drawings and the following description to the extent possible for the same or like items.
For convenience in describing the present invention, terms used in the specification are introduced below.
In the context of the present invention, the term "device" refers to hardware, the complete technical design of which has a certain functional value. For example, the device may be a router, a smart phone, a webcam, or the like.
The term "IoT device" refers to everyday items or devices such as watches, cameras, refrigerators, recorders, bracelets, heart rate monitors, thermostats, etc. that can access the internet (or local area network) through various types of wired and wireless connections such as Wi-Fi or bluetooth. These devices or IoT create network connections, receive and process incoming traffic, have interfaces (application programming interfaces, APIs) for interaction, which not only allow parameters of things (devices) to be tracked, but also allow these parameters to be configured. Further, ioT devices may include a range of network devices, such as signal amplifiers or media consoles.
IoT devices have applications in various fields such as automobiles, consumer goods (e.g., smart watches), infrastructure items (various sensors, e.g., humidity sensors or temperature sensors), medicine (e.g., cardiac pacemakers capable of sending data regarding their operation to a local server), smart homes/buildings, and so forth. Typically, ioT devices are combined into an infrastructure that is able to perform tasks not only at the personal or home level, but also at the city or state level.
Furthermore, ioT devices are used for different purposes. Thus, when such devices are compromised, stolen, or damaged, the consequences may vary depending on the manner and location in which the device is used. In some cases, the entire infrastructure may be affected.
Device interaction-refers to the exchange of data between devices. In this case, the interaction may include: data is exchanged between devices using a protocol (e.g., wi-Fi or bluetooth) to establish a connection between the devices or detect other devices, and user data is transferred between the devices (e.g., user messages are transferred from a smart phone to a tablet computer over a Wi-Fi network or audio is transferred from a notebook computer to a headset over bluetooth).
Anomaly refers to an identified deviation, for example, in the flow pattern to or from the device. The anomaly is observed over a predetermined period of time. The predetermined period of time may be based on the application, user preferences, and the like.
Network attacks-refers to the unauthorized manipulation of a computer system or network by specialized software or hardware to disrupt the operation of the computer system or network, obtain confidential information, and the like.
Cyber threat-refers to the loss or disruption of large amounts of data from a computer system or network due to cyber attacks.
"security component" refers to software and hardware that provides security for interactions of devices and user data. The security component may be implemented by taking into account the capabilities of hardware (e.g., AES instruction blocks in the central processor of the device). Examples of security components include device controllers, anti-virus protection, and the like. The device controller includes a component that monitors attempts to connect an external device to a protected device via USB, and a component that disables or enables use according to specified control rules of the device. Anti-virus protection includes software or applications that provide anti-virus protection for the protected device.
"category of devices" refers to the concept of expressing the most general characteristics of devices. For example, the class of device may be the type of device (e.g., smart phone, router, refrigerator), the type of connection to the device (e.g., whether the device may be connected to other devices via a wireless interface or wired), the security of the device (e.g., whether a security component may be installed on the device, or whether the hardware implementation of the device does not allow for a security component to be installed on the device), and so forth. Thus, for IoT devices, the term "class of IoT devices" may be used to refer to the most generic characteristics of IoT devices.
"category of user of a device" refers to a category related to a user and may include one or more of the following: the age of the user, the role of the user in the home (parent, child), the experience of the device user in dealing with the network threat (user's technical literacy in terms of network security), the role of the user in the enterprise (manager, accounting, security), the role of the user in the service infrastructure (client, visitor, employee, administrator, etc.).
The system of the present invention for protecting IoT devices by installing security components is understood to be implemented by a real device, system, component, group of components, which are implemented using hardware such as an integrated circuit (Application-specific integrated circuit (ASIC)) or a Field Programmable Gate Array (FPGA), or e.g., as a combination of software and hardware such as a microprocessor system and a set of software instructions and on a neuromorphic chip (neuromorphic/neuromorphic chip). The functions of the components of the system may be implemented solely in hardware, but also in a combination in which some of the functions of the components of the system are implemented in software, and some of the functions are implemented in hardware. In some embodiments, some or all of the components of the system of the present invention may be run on a processor of a general purpose computer (such as that shown in FIG. 4). In this case, the components of the system (each component) may be implemented within the framework of one computing device or may be spaced apart between several interconnected computing devices.
Fig. 1 illustrates a block diagram of an exemplary IoT infrastructure (ecosystem) 100 in accordance with aspects of the invention. IoT infrastructure 100 includes a plurality of IoT devices 110, a plurality of gateways 120, cloud services 130, and applications 140.IoT device 110 accesses application 140 through gateway 120 and cloud service 130.
Cloud services 130 may include one or more remote data processing servers. Within the cloud service 130, applications 140 run to allow processing and interpretation of data from IoT devices 110. The user may use individual IoT devices 110 (which may be smartphones, personal computers, etc.) to control other IoT devices 110 directly or through one or more of the applications 140. Typically, one or more gateways 120 form a Personal Area Network (PAN) with connected IoT devices 110.
IoT devices 110 (hereinafter devices) may be both wearable items of people (e.g., smartphones, smartwatches, etc.) and sensors in vehicles or homes, various sensors that may be deployed at enterprise locations. IoT devices 110 receive, process, and transmit information (e.g., temperature data) to other similar IoT devices 110 (e.g., a smartwatch may be paired with a smartphone using a bluetooth protocol). The transmission from one IoT device 110 to another IoT device 110 may be through a direct connection or through gateway 120 (e.g., access point 120). Gateway 120 may be a home router or other network device (e.g., a hub or switch) designed to transmit data over a network to platform 130 (hereinafter cloud service 130). The gateway 120 may support various communication protocols, e.g., zigBee protocols may be used for some IoT devices 110, and ethernet connections may be used to connect the gateway 120 to the cloud service 130.
As an illustrative example, platform 130 may include a smart home platform of a millet company. IoT devices 110 may include millet ecological chain intelligent light bulb lighting, millet intelligent power plug surge protectors, millet intelligent remote center controls, and so forth. To process data from these IoT devices 110, a proprietary platform 130 millet ecological cloud may be used. The proprietary platform 130 millet ecological cloud allows data processing and control of IoT devices 110 using various applications 140, including third party applications.
Fig. 2 illustrates a block diagram of an exemplary system 200 for providing security for network devices (e.g., ioT devices) by installing security components in accordance with aspects of the subject innovation.
The manufacturer of IoT devices 110 typically does not prioritize the security of these types of devices. Typically, a selection is made that facilitates easy configuration and use by the end user. For example, a manufacturer may set a standard login/password on all published devices of the same model to access the management console, may not timely update libraries installed on those devices with known vulnerabilities, and so on. All of these options allow an attacker to gain remote control of IoT device 110, use compromised IoT device 110 as part of a botnet or in order to obtain private information about the user of IoT device 110 for subsequent luxury, or perform other malicious actions.
The technical specifications of IoT devices 110 (e.g., use of non-standard firmware or operating systems, small amounts of memory, no standard installation of third party software provided by the manufacturer, autonomous operation without continuous charging possibilities) do not allow users to install comprehensive protection and anti-virus solutions on IoT devices.
Thus, in one aspect, the present invention provides for installing security components on a gateway 120 (router, switch), with IoT devices 110 accessing the internet through gateway 120. The IoT device 110 may be in the user's local or home network. The security component of the present invention minimizes the likelihood of infection of these devices and mitigates the consequences of IoT device 110 infection. Furthermore, the security solution may also identify infected IoT devices 110 in the home network.
To protect IoT devices 110, the method of the present invention installs security components. For example, installing the security component may include installing the security component on at least one IoT device 110 that interacts with the cloud service 130 and the application 140 through at least one gateway 120. Gateway 120 may also include one or more of the following: interceptor 121, analysis tool 122, and database 123. The analysis tool 122 interacts with the security service 160 and the security application 170.
The interceptor 121 is designed to obtain information about the IoT device 110 interactions with other devices 110, services, and servers (cloud services 130 and/or malicious server 190) by intercepting incoming and outgoing traffic from IoT devices 110 connected to the gateway 120. It should be appreciated that in the event that an IoT device 110 is infected, by installing the security component of the present invention, the IoT device will interact not only with the cloud service 130, but also with at least one malicious server 190. This may occur not only during initial installation, but also after installation, for example, if the IoT device is infected through a direct connection with an attacker. In another case, the user may connect a flash drive with a scripted malicious application to IoT device 110 or directly from its device 110 to device 110 through a cable or wireless connection while bypassing gateway 120.
When IoT device 110 interacts with cloud service 130, communications (traffic) occur between malicious server 190 and application 140. As described above, the interceptor 121 performs actions to obtain information about the interaction of the IoT device 110 with at least one of: cloud services 130, malicious servers 190, other IoT devices 110.
In one example aspect, interceptor 121 may be configured to:
-intercept DNS/HTTP/HTTPs requests from IoT devices 110 on the user's home network;
-extracting a domain and URL from a DNS/HTTP/HTTPs request;
intercepting incoming traffic to IoT devices on a predetermined set of TCP/UDP ports (telecom and network/Secure Shell (SSH) ports, and other services providing remote access to IoT devices 110), while the set of ports may change according to information received from security service 160;
checking for the presence of open TCP/UDP ports (telnet/SSH ports and other services providing remote access to the device) on IoT devices 110; and
-identifying IoT device 110.
Furthermore, the interceptor 121 performs installation of the security component 125 on the IoT device 110 detected by the analysis tool 122.
The identification of the security component 125 that needs to be installed on the device 110 by the interceptor 121 by the analysis tool 122 is described below.
In general, the security component 125 is a software and/or hardware solution that provides security for the IoT device 110 or, in particular cases, for user data on the IoT device 110. For example, the security component for securing the user password on the smartphone may use a specialized smartphone chip or component encryption-such as an Advanced Encryption Standard (AES) according to an instruction block for the central processor of IoT device 110, a firmware update component on the IoT device 110, or a hardware loader of IoT device 110.
In one aspect, interceptor 121 transmits security component 125 to gateway 120. This approach may be used when installing security components on IoT devices is not itself feasible. In one aspect, the security component 125 includes smart home security, such as a home security system manufactured by kabasky. In another aspect, the security component 125 includes IoT infrastructure-based security, such as kabasky IoT infrastructure security. Thus, such an implementation provides security for IoT devices 110 in situations where it is technically impossible to install security components 125 on IoT devices 110. For example, because IoT device 110 is suspected of being infected or the request from IoT device 110 does not correspond to the user class of IoT device 110, it is necessary to use a router to block data transmissions from device 110 to other devices 110.
In one aspect, interceptor 121 may install interceptor 121a (e.g., a kabasky thin client) on IoT device 110. It is important to understand that interceptor 121a performs the same function on IoT device 110, but the hardware and software implementation of interceptor 121a differs depending on the identity of IoT device 110. In general, interceptor 121 performs the identification by determining, for example, the type of device 110, the hardware of device 110, the communication interface with device 110, by methods known in the art. In one aspect, the assembly and transmission of interceptor 121a to be installed on device 110 performs security service 160. For example, the transmission of interceptor 121a may be through security application 170, which security application 170 assembles interceptor 121a for a particular device 110.
In one aspect, interceptor 121a performs the same function as interceptor 121, but is a device that is connected to IoT device 110 but not connected to gateway 120. For example, interceptor 121a analyzes which other devices are connected to IoT device 110 (the user's smartphone or tablet) and the system of the present invention ensures their security (e.g., a smartwatch may be connected to the smartphone without communicating with gateway 120, a CCTV camera or sensor may be connected to the tablet).
In one aspect, the information intercepted by interceptor 121 is transmitted to analysis tool 122 to determine, by interacting with security service 160, a class of IoT device 110 and a class of a user of IoT device 110, and possible problems of information security and network threats in the network based on data received from interceptor 121 and security service 160. The analysis tool 122 is associated with a database 123 of descriptions (data/information) of the storage device 110 and descriptions of remote servers. The remote server may be a malicious server (e.g., malicious server 190, as shown in fig. 2) or a secure server (not shown in fig. 2). The description of the remote server may contain at least the URL of the remote server, as well as additional credentials and a chain of credentials for the remote server, an http response for the remote server, or a convolution of the page. In general, the implementation of the method of the present invention in combination with the limited amount of memory of database 123 on gateway 120 contains up-to-date data on the user's IoT device 110. Notably, the data for storage in database 123 includes data received by analysis tool 122 from security service 160 (an example will be discussed below).
In one aspect, the analysis tool 122 performs at least one of the following actions to determine the class of IoT devices 110 and the class of users of IoT devices 110:
determining a description of IoT device 110 (e.g., by requesting IoT device 110 at a port number, opening a web page on IoT device 110, other methods known in the art), wherein the description includes at least a type of IoT device 110 (e.g., webcam), a manufacturer of IoT device 110 (e.g., millet), a model and brand of IoT device 110 (e.g., XVV-B10), and firmware of IoT device 110 (a software version of IoT device 110);
in the event that a new IoT device 110 is detected on the network, information about IoT device 110 is received from security service 160, and the information includes at least telnet/SSH port of IoT device 110, allowed domain and URL of IoT device 110, and allowed interaction of IoT device 110 in the network (e.g., a network camera may interact with other cameras or IP recorders, and send initialization requests itself);
-checking the domain and URL from the intercepted traffic to identify the address of the IoT device 110 that performs the request;
checking the domains and URLs from the intercepted traffic on a database of domains and URLs that are part of database 123 to determine if they are used by malicious applications of IoT device 110;
Checking the domain and URL from the intercepted traffic on a database of domains and URLs (which is part of database 123) used by known security applications of IoT device 110;
checking the traffic intercepted by the hash database (part of database 123) of malicious applications of IoT device 110;
checking the intercepted traffic on the hashed database (which is part of database 123) of the known security applications of IoT device 110.
The class of IoT devices 110 for the user may be determined based on the data described above, e.g., using statistical data or a trained machine learning model. For example, ioT devices 110 that are televisions may be categorized as "generic devices" for use by individual family members or employees of an enterprise. In one aspect, for example, when determining a smartphone or tablet and checking the domain and URL from the intercepted traffic, the user may be classified by age. For example, assuming that the request is to a site dedicated to a computer game, the IoT device 110 is used for a time interval of 7 hours to 21 hours. Perhaps such IoT devices 110 are used by children-thus, the class of users of IoT devices is "children. In one aspect, the categories of users of IoT devices may be further categorized by the age of the child (e.g., up to 12 years) based on the category of the site.
In one aspect, the analysis tool 122 identifies at least one security component 125 that needs to be installed on the user IoT device 110 according to certain categories of IoT devices 110 and categories of users of IoT devices 110 and performs the following actions:
if a domain and/or URL used by a known malicious application from IoT device 110 of the database is detected in the outbound traffic, analysis tool 122 may decide to install security component 125 and communicate the decision to interceptor 121. The security component 125 blocks these domains and URLs. In this case, ioT device 110 may be infected. In one aspect, the analysis tool 122 notifies the user. For example, the user may be notified by sending an alert to the user's IoT device 110 via email, push notification, and other means of receiving information, or by transmitting data to the security service 160 for notifying the user.
If malicious application hashes are detected in the incoming traffic to IoT device 110, analysis tool 122 decides to install security component 125 on IoT device 110. The security component 125 prevents the transmission of traffic. In one aspect, the method notifies a user of the IoT device 110 when a malicious application hash is detected.
If the IoT device is suspected of being infected, the analysis tool 122 decides to install the security component 125 in the IoT device 110 (if there is a possibility of such an installation) and communicates the decision to the interceptor 121. The security component can perform an anti-virus scan of the IoT device 110 in a manner known in the art (e.g., signed or heuristic). For example, such an installation may use the android network security of kabasky.
In one aspect, upon determining the class of the user of the IoT device 110, the analysis tool 122 decides to install a security component 125 corresponding to the user's interests, e.g., for content filtering, parental control, etc.
If an anomaly is detected in the intercepted traffic of IoT device 110 (in which case device 110 may be infected), analysis tool 122 decides to install security component 125, which security component 125 prevents the connection associated with the anomaly, and analysis tool 122 communicates the decision to interceptor 121. In one aspect, the IoT device 110 also alerts the user to the detected anomaly.
In one aspect, the anomaly may include a deviation identified in traffic of the IoT device 110 over a period of time. For example, when searching for passwords from outside, if the number of connections from different IP addresses to IoT device 110 increases, an anomaly may be detected. Within the scope of the present invention, such IoT devices 110 may be considered infected because the probability of guessing the password is non-zero (even if the password has changed). Notably, ioT devices 110 typically do not have any protection against violent attempts to guess passwords due to their simplicity, and do not set a timeout after several false password attempts (e.g., 30 seconds after three false password inputs). In devices that are not as simple as IoT devices, the time allocated for entering the password is typically short, so the password entry is relatively fast, and it is therefore necessarily impossible to guess the password itself. Thus, for IoT devices, when an anomaly is detected, the device needs to block the connection and alert the user of the anomaly.
In another example, suppose IoT device 110 scans the IP address of the network and attempts to connect to other IoT devices 110. In this case, the IoT device needs to block the connection and alert the user of the attempted connection.
In another example, suppose IoT device 110 classified as a "child device" begins issuing domains and URLs to adult websites that are used by malicious applications requesting or accessing IoT device 110. In such a case, it may be necessary to install the security component 125 to allow the user to block the connection (e.g., using a "parental control" function) and perform an anti-virus scan.
In one aspect, if the analysis tool 122 does not detect a security component 125, the analysis tool 122 sends a request to the security service 160, where the request is used to determine which security component 125 needs to be installed.
The security service 160 interacts with the analysis tool 122. In one aspect, the security service 160 is a service on a remote server, where the security service 160 may be a cloud service or a service in a local network. The security service 160 provides data for storage in the database 123, including data associated with the IoT device 110, data containing information about network threats that depends on the class of the IoT device 110 and the class of the user of the IoT device 110. Thus, the data stored in database 123 describes security components in terms of network threats. In one aspect, database 123 may be partitioned into a plurality of different databases.
In one aspect, the data associated with IoT device 110 includes at least one of:
-description of IoT device 110 (described above);
-firmware of IoT device 110; and
weak passwords of IoT devices 110 (e.g., in the form of a list of passwords and in the form of regular expressions).
In one aspect, the data containing information about the cyber threat that is dependent on the class of IoT device 110 and the class of the user of IoT device 110 includes at least one of:
-domains and URLs used by malicious applications of IoT device 110;
open Telnet and SSH ports of IoT device 110 (it should be understood that the ports may differ depending on the current firmware of IoT device 110); and
data for detecting malicious applications on the device 110.
In one aspect, the data describing the security component in terms of the cyber threat includes at least one of:
a security component 125 that can be installed on the IoT device 110 according to the description of the IoT device 110; and
an interceptor 121a that may be installed on IoT device 110 according to the description of IoT device 110.
In one aspect, as described above, the security service 160 performs the assembly of the security component 125 and the assembly of the interceptor 121a. The assembly of security components includes, for example, compiling and linking or generating scripts for the interpreters of the IoT device 110.
Notably, in one preferred aspect, the data of domains and URLs used by malicious applications of IoT device 110 are formed using security application 170, which security application 170 may act as a pre-configured virtual machine on the internet without a security solution, emulating IoT device 110 and containing all known vulnerabilities for malicious applications to attack such virtual machines. For example, the virtual machine may be a so-called IoT honeypot.
Within the scope of the present invention, the weak password may include:
passwords that do not meet security requirements (e.g., words in a dictionary that do not have uppercase letters, numbers, and/or special characters),
a manufacturer-set "factory" password,
default login password (e.g., admin: admin), and
passwords that leak to the internet network (e.g., in a publication of vulnerabilities in media stories, passwords from known compromised password databases distributed over "dark" portions of the internet that are hidden by the network, where connections are established only between trusted nodes using non-standard protocols and ports, e.g., over the dark network).
In one aspect, the weak password may be obtained by using the IoT honeypot to use the security application 170.
In one aspect, the security service 160 notifies the user of the IoT device 110 according to data from the analysis tool 122.
In one aspect, the security service 160 augments the database 123 based on data from the analysis tool 122. For example, if the analysis tool 122 detects an open port on the IoT device 110 that was previously unknown to the security service 160, or transmits data regarding anomalies using a previously unknown domain and URL, the security service 160 may analyze the data and add the data to the database 123 for future reference.
Notably, interceptor 121, analysis tool 122, and security component 125 may be implemented as components of an anti-virus solution or as an end point detection and response (EDR) solution (e.g., a carbas EDR). In this case, the security service 160 makes a decision regarding an operation to ensure security.
Fig. 3 illustrates a method 300 for providing security for a network device (e.g., ioT device) by installing security components in accordance with aspects of the invention.
In step 310, the method 300 obtains information about the interaction of the IoT device 110 with at least one of the following through the interceptor 121 hosted on the gateway 120: one or more other IoT devices 110, cloud services 130, and malicious servers 190. Interceptor 121 is described above in connection with fig. 2.
In one aspect, obtaining information about the interaction of IoT devices 110 with other IoT devices 110, cloud services 130, and malicious server 190 is performed by:
intercept requests to and from IoT device 110;
-extracting data about the domain and URL from the intercepted request;
-intercept incoming traffic to IoT devices 110 on a predetermined set of TCP/UDP ports;
checking if IoT device 110 has an open TCP/UDP port providing remote access to the respective IoT device 110.
In one aspect, the intercepted request comprises a DNS/HTTP/HTTPS request.
In step 320, the method 300 determines at least one category of the IoT device 110 and at least one category of a user of the IoT device 110 by an analysis tool 122 located on the at least one gateway 120. In one aspect, at least one category of IoT devices and at least one category of users of IoT devices are determined by interacting with the security service 160 based on information obtained from the interceptor 121 regarding interactions of IoT devices, wherein the security service 160 is designed to provide data to the analysis tool 122. In one aspect, through this interaction, a description of device 110 is disclosed, wherein the description includes at least a type of device 110, a manufacturer of device 110, a model of device 110, and firmware of device 110.
In one aspect, information regarding interactions of IoT devices 110 is contained in a database.
In one aspect, the database comprises at least:
-data associated with IoT device 110;
data containing information about network threats, wherein the information about network threats of a particular IoT device depends on a class of the particular IoT device 110 and a class of a user of the particular IoT device 110; and
-a description of the security component of the particular IoT device 110, wherein the description of the security component of the particular IoT device 110 is dependent on the network threat.
In one aspect, the data associated with IoT device 110 includes at least one of:
-description of IoT device 110 (described above);
-firmware of IoT device 110; and
a weak password for IoT device 110.
In one aspect, the data comprising information about the cyber threat comprises at least one of:
-domains and URLs used by malicious applications of IoT device 110;
a telnet/SSH port open to IoT devices 110 based on particular IoT devices 110 (it should be understood that the port may differ depending on the current firmware of IoT devices 110); and
data for detecting malicious applications on IoT device 110.
In one aspect, the description of the security component that depends on the class of IoT device 110 and the class of the user of IoT device 110 includes at least one of:
a security component 125 that can be installed on the IoT device 110 according to the description of the IoT device 110; and
an interceptor 121a that may be installed on IoT device 110 according to the description of IoT device 110.
In one aspect, using the analysis tool 122, the method 300 determines the class of the IoT device 110 and the class of the user of the IoT device 110 by interacting with the remote security server 160 based on data received from the interceptor 121. Then, a description of IoT device 110 is revealed, wherein the description includes at least a type of IoT device 110, a manufacturer of IoT device 110, a model of IoT device 110, firmware of IoT device 110. The method then receives information about IoT device 110 from security service 160, wherein the information includes at least a Telnet/SSH port of IoT device 110, allowed domains and URLs of IoT device 110, and devices that allow interactions over the network. The method checks domains and URLs from intercepted traffic against a database of domains and URLs used by malicious applications of IoT device 110 based on data provided by security service 160.
In step 330, the method 300 receives data from the at least one security service via the analysis tool 122 and identifies a security component to be installed on the device based on the data received from the at least one security service, the at least one category of the device, and the at least one category of the user of the device. In one aspect, the data comprises: data about the device, data about the cyber-threat depending on at least one category of the device and at least one category of a user of the device, and data describing a security component, wherein the security component is based on the at least one type of cyber-threat. For example, the method 300 identifies security components 125 that need to be installed on the IoT device 110 based on certain categories of IoT devices 110 and categories of users of IoT devices 110. An example of identifying the security component 125 is discussed in connection with fig. 2.
In one aspect, the analysis tool 122 determines which security component 125 needs to be installed on the device 110 by sending a request to the security service 160.
In one embodiment, the security service 160 assembles and transmits the security component 125 to the analysis tool 122.
In step 340, the method 300 installs the security component 125 identified by the analysis tool 122 on the user's device 110 through the interceptor 121.
In one aspect, the method 300 also installs the interceptor 121a on the IoT device 110 of the user.
Fig. 4 is a block diagram illustrating a computer system 20 on which aspects of the systems and methods for providing security for network devices (e.g., ioT devices) by installing security components may be implemented. The computer system 20 may be in the form of a plurality of computing devices, or may be in the form of a single computing device, such as a desktop computer, a notebook computer, a laptop computer, a mobile computing device, a smart phone, a tablet computer, a server, a mainframe, an embedded device, and other forms of computing devices.
As shown, the computer system 20 includes a central processing unit (Central Processing Unit, CPU) 21, a system memory 22, and a system bus 23 that connects the various system components, including memory associated with the central processing unit 21. The system bus 23 may include a bus memory or bus memory controller, a peripheral bus, and a local bus that may be capable of interacting with any other bus architecture. Examples of buses may include PCI, ISA, PCI-Express, hyperTransport TM (HyperTransport TM ) Infinite bandwidth TM (InfiniBand TM ) Serial ATA, I 2 C. And other suitable interconnections. The central processing unit 21 (also referred to as a processor) may include a single set or multiple sets of processors having a single core or multiple cores. The processor 21 may execute one or more computer-executable codes that implement the techniques of the present invention. The system memory 22 may be any memory for storing data used herein and/or computer programs executable by the processor 21. The system Memory 22 may include volatile Memory, such as random access Memory (Random Access Memory, RAM) 25, and non-volatile Memory, such as Read-Only Memory (ROM) 24, flash Memory, etc., or any combination thereof. A Basic Input/Output System (BIOS) 26 may store Basic programs that transfer information between elements within the computer System 20, such as those during loading of the operating System using ROM 24.
The computer system 20 may include one or more storage devices, such as one or more removable storage devices 27, one or more non-removable storage devices 28, or a combination thereof. The one or more removable storage devices 27 and the one or more non-removable storage devices 28 are connected to the system bus 23 by a storage device interface 32. In one aspect, the storage devices and corresponding computer-readable storage media are power-independent modules for storing computer instructions, data structures, program modules, and other data for computer system 20. The system memory 22, the removable storage device 27, and the non-removable storage device 28 may use a variety of computer-readable storage media. Examples of the computer readable storage medium include: machine memory such as cache, SRAM, DRAM, zero capacitance RAM, dual transistor RAM, eDRAM, EDO RAM, DDR RAM, EEPROM, NRAM, RRAM, SONOS, PRAM; flash memory or other storage technology, such as in a solid state drive (Solid State Drive, SSD) or flash memory drive; magnetic tape cartridges, magnetic tape, and magnetic disk storage, such as in a hard disk drive or floppy disk; optical storage, such as in compact discs (CD-ROM) or digital versatile discs (Digital Versatile Disk, DVD); and any other medium that can be used to store the desired data and that can be accessed by computer system 20.
The system memory 22, the removable storage device 27, and the non-removable storage device 28 of the computer system 20 may be used to store an operating system 35, additional application programs 37, other program modules 38, and program data 39. The computer system 20 may include a peripheral interface 46 for communicating data from an input device 40, such as a keyboard, mouse, stylus, game controller, voice input device, touch input device, or other peripheral device, such as a printer or scanner via one or more I/O ports, such as a serial port, parallel port, universal serial bus (Universal Serial Bus, USB), or other peripheral interface. A display device 47, such as one or more monitors, projectors or integrated displays, can also be connected to system bus 23 via an output interface 48, such as a video adapter. In addition to the display device 47, the computer system 20 may be equipped with other peripheral output devices (not shown), such as speakers and other audiovisual devices.
The computer system 20 may operate in a networked environment using network connections to one or more remote computers 49. The one or more remote computers 49 may be local computer workstations or servers that include most or all of the elements previously described above in describing the nature of the computer system 20. Other devices may also be present in a computer network such as, but not limited to, routers, network sites, peer devices, or other network nodes. The computer system 20 may include one or more Network interfaces 51 or Network adapters for communicating with remote computer 49 through one or more networks, such as a Local-Area Network (LAN) 50, a Wide-Area Network (WAN), an intranet, and the internet. Examples of network interfaces 51 may include ethernet interfaces, frame relay interfaces, SONET (synchronous optical network) interfaces, and wireless interfaces.
Aspects of the present invention may be a system, method, and/or computer program product. The computer program product may include one or more computer-readable storage media having computer-readable program instructions thereon for causing a processor to perform aspects of the present invention.
The computer readable storage medium may be a tangible device that can hold and store program code in the form of instructions or data structures that can be accessed by a processor of a computing device, such as computer system 20. The computer readable storage medium may be an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination thereof. By way of example, such computer-readable storage media may include Random Access Memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), portable compact disc read-only memory (CD-ROM), digital Versatile Discs (DVD), flash memory, hard disks, portable computer diskette, memory stick, floppy disk, or even a mechanical coding device such as a punch card or a protrusion structure in a groove having instructions recorded thereon. As used herein, a computer-readable storage medium should not be considered a transitory signal per se, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or transmission medium, or an electrical signal transmitted through an electrical wire.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a corresponding computing device, or downloaded over a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network) to an external computer or external storage device. The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface in each computing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the respective computing device.
Computer readable program instructions for performing the operations of the present invention can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object-oriented programming language and a conventional programming language. The computer-readable program instructions (as a stand-alone software package) may execute entirely on the user's computer, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network (including a LAN or a WAN), or the connection may be made to an external computer (for example, through the Internet). In some aspects, electronic circuitry, including, for example, programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or programmable logic arrays (Programmable Logic Array, PLAs), may execute computer-readable program instructions by utilizing state information of the computer-readable program instructions to personalize the electronic circuitry to perform aspects of the present invention.
In various aspects, the systems and methods described in this disclosure may be handled as modules. The term "module" as used herein refers to, for example, a real world device, a component, or an arrangement of components implemented using hardware, such as through an Application Specific Integrated Circuit (ASIC) or FPGA, or a combination of hardware and software, such as implemented by a microprocessor system and a set of instructions that, when executed, transform the microprocessor system into a special-purpose device, implement the functions of the module. A module may also be implemented as a combination of two modules, where some functions are facilitated by hardware alone, and other functions are facilitated by a combination of hardware and software. In some implementations, at least a portion of the modules (and in some cases all of the modules) may run on a processor of a computer system (e.g., the computer system described in more detail above in fig. 4). Thus, each module may be implemented in a variety of suitable configurations and should not be limited to any particular implementation illustrated herein.
In the interest of clarity, not all routine features of the various aspects are disclosed herein. It will be appreciated that in the development of any actual implementation of the invention, numerous implementation-specific decisions must be made in order to achieve the developer's specific goals, and that these specific goals will vary from one implementation to another and from one developer to another. It will be appreciated that such a development effort might be complex and time-consuming, but would nevertheless be a routine undertaking of engineering for those of ordinary skill in the art having the benefit of this disclosure.
Further, it is to be understood that the phraseology or terminology used herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance presented herein, in combination with the knowledge of one(s) of ordinary skill in the relevant art. Furthermore, no terms in the specification or claims are intended to be ascribed an uncommon or special meaning unless explicitly set forth as such.
Various aspects disclosed herein include present and future known equivalents to the known modules referred to herein by way of illustration. Furthermore, while various aspects and applications have been shown and described, it would be apparent to those skilled in the art having the benefit of this disclosure that many more modifications than mentioned above are possible without departing from the inventive concepts disclosed herein.
Claims (21)
1. A method for providing security for a network device, comprising:
information about the interaction of the device with at least one of the following is obtained by means of an interceptor located on at least one gateway or the device: one or more other devices, services, and servers;
By means of an analysis tool located on the at least one gateway:
determining at least one category of the device and at least one category of a user of the device by interacting with at least one security service based on the information received from the interceptor about the interactions of the device;
receiving data from the at least one security service, the data comprising: data about the device, data about a cyber threat depending on at least one category of the device and at least one category of a user of the device, and data describing a security component, wherein the security component is based on at least one type of cyber threat; and
identifying the security component to be installed on the device based on the data received from the at least one security service, at least one category of the device, and at least one category of a user of the device; and
the security component identified by the analysis tool is installed on the device by the interceptor.
2. The method of claim 1, wherein the interceptor obtains the information about the interactions of the devices by performing at least one of:
Intercepting Domain Name Service (DNS)/hypertext transfer protocol (HTTP)/Hypertext Transfer Protocol Security (HTTPs) requests from a plurality of devices;
extracting domain and Uniform Resource Locator (URL) data from the intercepted request;
intercepting incoming traffic to a plurality of devices on a predetermined set of transmission control protocol/user datagram protocol (TCP/UDP) ports; and
it is checked whether the device has an open TCP/UDP port providing remote access to the device.
3. The method of claim 1, wherein the data about the device comprises at least one of: a description of the device, firmware of the device, and a weak password of the device.
4. The method of claim 1, wherein the data regarding network threats depending on at least one category of the device and at least one category of a user of the device comprises at least one of:
domains and Uniform Resource Locators (URLs) used by malicious device applications,
data about the open telecommunication and network/secure shell (telnet/SSH) ports of the device, and
data for detecting a malicious device application when the malicious device application is invoked.
5. The method of claim 1, wherein the device comprises the security component or the interceptor according to a description of the device.
6. The method of claim 1, wherein the security service assembles the security component.
7. The method of claim 1, further comprising: installing an interceptor on the appliance through the interceptor on the at least one gateway when the interceptor is located on the at least one gateway, wherein network security is provided for the appliance.
8. A network device security system, comprising:
at least one gateway comprising at least one hardware processor and at least one memory,
the gateway comprises an analysis tool and an interceptor,
the gateway communicates with at least one device and at least one security service,
wherein the interceptor performs:
obtaining information about interactions of the device with at least one of: one or more other devices, services, and servers; and
installing a security component on the device that is identified by the analysis tool;
wherein the analysis tool performs:
by determining at least one category of the device and at least one category of a user of the device based on information obtained from the interceptor about the interactions of the device and the at least one security service interactions,
Interact with the at least one security service to receive data from the at least one security service, and
identifying the security component for installation on the device based on the data received from the security service, the determined at least one category of the device, and the at least one category of the user of the device; and
wherein the at least one security service provides data to the analysis tool, wherein the data comprises: data about the device, data about a cyber threat depending on at least one category of the device and at least one category of a user of the device, and data describing the security component, wherein the security component is based on at least one type of cyber threat.
9. The system of claim 8, wherein the interceptor obtains the information about the interactions of the devices by performing at least one of:
intercepting Domain Name Service (DNS)/hypertext transfer protocol (HTTP)/Hypertext Transfer Protocol Security (HTTPs) requests from a plurality of devices;
extracting domain and Uniform Resource Locator (URL) data from the intercepted request;
intercepting incoming traffic to a plurality of devices on a predetermined set of transmission control protocol/user datagram protocol (TCP/UDP) ports; and
It is checked whether the device has an open TCP/UDP port providing remote access to the device.
10. The system of claim 8, wherein the data about the device comprises at least one of: a description of the device, firmware of the device, and a weak password of the device.
11. The system of claim 8, wherein the data regarding network threats depending on at least one category of the device and at least one category of a user of the device comprises at least one of:
domains and Uniform Resource Locators (URLs) used by malicious device applications,
data about the open telecommunication and network/secure shell (telnet/SSH) ports of the device, and
data for detecting a malicious device application when the malicious device application is invoked.
12. The system of claim 8, wherein the device comprises the security component or the interceptor according to a description of the device.
13. The system of claim 8, wherein the security service assembles the security component.
14. The system of claim 8, wherein the interceptor located on the at least one gateway further performs: installing an interceptor on the appliance when the interceptor is located on the at least one gateway, wherein network security is provided for the appliance.
15. A non-transitory computer-readable medium having stored thereon computer-executable instructions for providing security for a network device, the computer-executable instructions comprising instructions for:
information about the interaction of the device with at least one of the following is obtained by means of an interceptor located on at least one gateway or the device: one or more other devices, services, and servers;
by means of an analysis tool located on the at least one gateway:
determining at least one category of the device and at least one category of a user of the device by interacting with at least one security service based on the information received from the interceptor about the interactions of the device;
receiving data from the at least one security service, the data comprising: data about the device, data about a cyber threat depending on at least one category of the device and at least one category of a user of the device, and data describing a security component, wherein the security component is based on at least one type of cyber threat; and
identifying the security component to be installed on the device based on data received from the at least one security service, at least one category of the device, and at least one category of a user of the device; and
The security component identified by the analysis tool is installed on the device by the interceptor.
16. The non-transitory computer-readable medium of claim 15, wherein the interceptor obtains the information about the interactions of the devices by performing at least one of:
intercepting Domain Name Service (DNS)/hypertext transfer protocol (HTTP)/Hypertext Transfer Protocol Security (HTTPs) requests from a plurality of devices;
extracting domain and Uniform Resource Locator (URL) data from the intercepted request;
intercepting incoming traffic to a plurality of devices on a predetermined set of transmission control protocol/user datagram protocol (TCP/UDP) ports; and
it is checked whether the device has an open TCP/UDP port providing remote access to the device.
17. The non-transitory computer-readable medium of claim 15, wherein the data about the device comprises at least one of: a description of the device, firmware of the device, and a weak password of the device.
18. The non-transitory computer-readable medium of claim 15, wherein the data regarding cyber threats depending on at least one category of the device and at least one category of a user of the device comprises at least one of:
Domains and Uniform Resource Locators (URLs) used by malicious device applications,
data about the open telecommunication and network/secure shell (telnet/SSH) ports of the device, and
data for detecting a malicious device application when the malicious device application is invoked.
19. The non-transitory computer-readable medium of claim 15, wherein the device comprises the security component or the interceptor according to a description of the device.
20. The non-transitory computer-readable medium of claim 15, wherein the security service assembles the security component.
21. The non-transitory computer-readable medium of claim 15, wherein the computer-executable instructions further comprise instructions for:
installing an interceptor on the appliance through the interceptor on the at least one gateway when the interceptor is located on the at least one gateway, wherein network security is provided for the appliance.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| RU2022123909 | 2022-09-08 | ||
| US18/341,814 US20240089271A1 (en) | 2022-09-08 | 2023-06-27 | System and method for providing security to iot devices |
| US18/341,814 | 2023-06-27 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117675173A true CN117675173A (en) | 2024-03-08 |
Family
ID=90067031
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311031042.7A Pending CN117675173A (en) | 2022-09-08 | 2023-08-15 | System and method for providing security for internet of things devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675173A (en) |
-
2023
- 2023-08-15 CN CN202311031042.7A patent/CN117675173A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3298527B1 (en) | Secured access control to cloud-based applications | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| Rondon et al. | Survey on enterprise Internet-of-Things systems (E-IoT): A security perspective | |
| Yu et al. | Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things | |
| US10652016B2 (en) | Methods, apparatus, and systems for controlling internet-connected devices having embedded systems with dedicated functions | |
| US10715542B1 (en) | Mobile application risk analysis | |
| Wang et al. | IoT-praetor: Undesired behaviors detection for IoT devices | |
| US11258812B2 (en) | Automatic characterization of malicious data flows | |
| Xiao et al. | HomeShield: A credential-less authentication framework for smart home systems | |
| US20190007445A1 (en) | System and method for repairing vulnerabilities of objects connected to a data network | |
| WO2019217969A1 (en) | Predicting cyber threats in a federated threat intelligence environment | |
| Chhetri et al. | Identifying vulnerabilities in security and privacy of smart home devices | |
| Hashmat et al. | An automated context-aware IoT vulnerability assessment rule-set generator | |
| US11552986B1 (en) | Cyber-security framework for application of virtual features | |
| US11757975B1 (en) | Systems and methods for monitoring a file download | |
| US20240089271A1 (en) | System and method for providing security to iot devices | |
| EP4336803A1 (en) | System and method for providing security to iot devices | |
| CN117675173A (en) | System and method for providing security for internet of things devices | |
| RU2798178C1 (en) | System and method for securing iot devices by installing security components | |
| Arul et al. | Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud | |
| RU2786201C1 (en) | SYSTEM AND METHOD FOR SECURING IoT DEVICES THROUGH A GATEWAY | |
| EP4266627A1 (en) | System and method for securing iot devices through a gateway | |
| US20230344797A1 (en) | SYSTEM AND METHOD FOR SECURING IoT DEVICES THROUGH A GATEWAY | |
| CN107204869B (en) | Method and system for eliminating vulnerability of intelligent device | |
| CN116938504A (en) | System and method for protecting internet of things devices through gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |