CN117938413A - Equipment network access control method, device, equipment and medium - Google Patents
Equipment network access control method, device, equipment and medium Download PDFInfo
- Publication number
- CN117938413A CN117938413A CN202310088291.3A CN202310088291A CN117938413A CN 117938413 A CN117938413 A CN 117938413A CN 202310088291 A CN202310088291 A CN 202310088291A CN 117938413 A CN117938413 A CN 117938413A
- Authority
- CN
- China
- Prior art keywords
- equipment
- things
- target internet
- target
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 238000002372 labelling Methods 0.000 claims abstract description 15
- 238000004590 computer program Methods 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 11
- 238000005206 flow analysis Methods 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 239000000523 sample Substances 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000006855 networking Effects 0.000 description 5
- 206010000117 Abnormal behaviour Diseases 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101100324041 Drosophila melanogaster Manf gene Proteins 0.000 description 1
- 241000331006 Euchaeta media Species 0.000 description 1
- 238000004873 anchoring Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000007499 fusion processing Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000002087 whitening effect Effects 0.000 description 1
Abstract
The application discloses a method, a device, equipment and a medium for controlling network access of equipment, and relates to the field of Internet of things, wherein the method comprises the following steps: based on the flow sent by the target internet of things equipment to a switch connected with the target internet of things equipment, carrying out equipment identification on the target internet of things equipment by using a preset equipment identification method so as to acquire an equipment identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment labeling and identification methods based on stream characteristics, equipment fingerprints and dumb terminal equipment; based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or a combination of a plurality of access control policies based on equipment characteristics, equipment fingerprints, national standards, switch linkage and ARP spoofing. The application can provide a converged security access technology based on the identification and classification of the terminal of the Internet of things.
Description
Technical Field
The invention relates to the field of internet of things, in particular to a method, a device, equipment and a medium for controlling network access of equipment.
Background
The application of the terminals of the Internet of things in the existing network is more and more extensive, the number of the terminals is increased in an explosive manner, and the safety protection of the Internet of things is a big and short board for the safety protection of the whole network at present along with the diversity of attack means, and particularly the access safety of video terminals is particularly important-!
At present, the traditional network access technology faces challenges of equipment identification management, risk handling, equipment access, abnormal behaviors and the like of the Internet of things, and cannot cope with the changing dynamic attack and policy requirements of the terminals of the Internet of things.
From the above, how to provide a fusion security access technology based on the identification and classification of the internet of things terminal in the access process of the internet of things equipment is a problem to be solved in the field.
Disclosure of Invention
In view of the above, the present invention aims to provide a method, a device and a medium for controlling network access of a device, which can provide a converged security access technology based on terminal identification and classification of the internet of things by using a device feature identification technology based on feature extraction, a device identification technology based on fingerprint and a device classification technology based on sample labeling. The specific scheme is as follows:
In a first aspect, the present application discloses a method for controlling network access of a device, including:
based on the flow sent by target internet of things equipment to a switch connected with the target internet of things equipment, carrying out equipment identification on the target internet of things equipment by using a preset equipment identification method so as to obtain an equipment identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
Based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
Optionally, the obtaining the device identification result based on the flow sent by the target internet of things device to the switch connected with the target internet of things device and using a preset device identification method to identify the target internet of things device includes:
analyzing target flow characteristics in a target flow message sent by the target internet of things equipment to a switch connected with the target internet of things equipment to obtain a flow characteristic analysis result; wherein the target flow characteristics are the number of packets, the average length of packets, the sequence of packet lengths, the duration of the flow, the number of bits per second of the flow in the target flow message;
and carrying out equipment identification on the target internet of things equipment based on the flow characteristic analysis result so as to determine the equipment type of the target internet of things equipment.
Optionally, the obtaining the device identification result based on the flow sent by the target internet of things device to the switch connected with the target internet of things device and using a preset device identification method to identify the target internet of things device includes:
Determining flow fingerprint information and device fingerprint information of the target internet of things device based on a TCP message sent by the target internet of things device to a switch connected with the target internet of things device; the flow fingerprint information is a characteristic group for representing the flow characteristics of equipment and the category to which the flow characteristics belong, and the equipment fingerprint information is characteristic information for identifying the identity of the equipment of the target Internet of things;
And matching the device fingerprint information and the flow fingerprint information with information in a preset fingerprint resource library to determine an information matching result of the target Internet of things device.
Optionally, the obtaining the device identification result based on the flow sent by the target internet of things device to the switch connected with the target internet of things device and using a preset device identification method to identify the target internet of things device includes:
Acquiring target flow sent by a security module arranged in or at an end side of target internet of things equipment and based on the target flow sent by the target internet of things equipment, and marking equipment type information of the target internet of things equipment for the target internet of things equipment by using a preset flow sample knowledge base;
and determining the equipment type of the target internet of things equipment based on the equipment type information.
Optionally, the performing network admission control on the target internet of things device by using a preset device admission policy based on the device identification result includes:
judging whether the device type of the target internet of things device exists in a pre-established service white list or not;
If the device type of the target internet of things device exists in the pre-established service white list, allowing the target internet of things device to access the internet of things;
Analyzing the target data sent after the target internet of things equipment is accessed to the internet of things one by one to determine the protocol characteristics of the target internet of things equipment;
Matching the protocol characteristics of the target internet of things equipment with target protocol characteristics which are preset in the service white list and correspond to the equipment type of the target internet of things equipment;
If the protocol features of the target internet of things equipment are successfully matched with the target protocol features which are preset in the service white list and correspond to the equipment type of the target internet of things equipment, the target data are released;
If the protocol feature of the target internet of things equipment is not successfully matched with the target protocol feature corresponding to the equipment type of the target internet of things equipment, which is preset in the service white list, the target data is blocked in real time and the alarm is given out in real time.
Optionally, the method for controlling network access of the device further includes:
The national standard-based admission policy is configured as an admission policy based on the GB28181 and/or GB35114-2017 standards.
Optionally, the obtaining the device identification result based on the flow sent by the target internet of things device to the switch connected with the target internet of things device and using a preset device identification method to identify the target internet of things device includes:
And acquiring a target flow message sent by target terminal equipment to the switch by utilizing a bypass network flow analysis technology, and carrying out equipment identification on target Internet of things equipment by utilizing a preset equipment identification method based on the target flow message so as to acquire an equipment identification result.
In a second aspect, the present application discloses a device network access control apparatus, including:
The device identification module is used for carrying out device identification on the target internet of things device by utilizing a preset device identification method based on the flow sent by the target internet of things device to a switch connected with the target internet of things device so as to obtain a device identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
The admission control module is used for carrying out network admission control on the target Internet of things equipment by utilizing a preset equipment admission strategy based on the equipment identification result; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
In a third aspect, the present application discloses an electronic device, comprising:
A memory for storing a computer program;
and the processor is used for executing the computer program to realize the device network access control method.
In a fourth aspect, the present application discloses a computer storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the device networking control method disclosed above.
The method comprises the steps of carrying out equipment identification on target internet of things equipment by using a preset equipment identification method based on the flow sent by the target internet of things equipment to a switch connected with the target internet of things equipment so as to obtain an equipment identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
Based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing. The application provides a fusion security access technology based on the identification and classification of the internet of things terminal, which starts from the perception of the security of the internet of things terminal, through a device feature identification technology based on feature extraction, a device identification technology based on fingerprint and a device classification technology based on sample marking, and can accurately control the front access device, and only the legal internet of things device passing authentication can access the network, so that the problems of accurate identification control and security access of the existing internet of things terminal are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for controlling network access of a device according to the present application;
FIG. 2 is a schematic diagram of a method fusion process according to the present application;
fig. 3 is a flowchart of a specific method for controlling network access of a device according to the present application;
Fig. 4 is a schematic structural diagram of a network access control device of a device provided by the present application;
Fig. 5 is a block diagram of an electronic device according to the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the prior art, the conventional network access technology faces challenges of equipment identification management, risk handling, equipment access, abnormal behaviors and the like of the internet of things, and cannot cope with the changing dynamic attack and policy requirements of the terminals of the internet of things. The application provides a fusion security access technology based on terminal identification and classification of the Internet of things by utilizing a device feature identification technology based on feature extraction, a device identification technology based on fingerprints and a device classification technology based on sample labeling.
The embodiment of the invention discloses a method for controlling network access of equipment, which is described with reference to fig. 1 and comprises the following steps:
Step S11: based on the flow sent by target internet of things equipment to a switch connected with the target internet of things equipment, carrying out equipment identification on the target internet of things equipment by using a preset equipment identification method so as to obtain an equipment identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification methods based on stream characteristics, equipment identification methods based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment.
The premise of carrying out admission control on a large number of devices in the Internet of things is to accurately identify the identity information of the devices. Three device identification methods are provided in this embodiment, including a device identification method based on a stream feature, a device identification method based on a device fingerprint, and a device labeling and identification method for dumb terminal devices.
In this embodiment, the obtaining, based on the flow sent by the target internet of things device to the switch connected to the target internet of things device, the device identification on the target internet of things device by using a preset device identification method to obtain a device identification result may include: analyzing target flow characteristics in a target flow message sent by the target internet of things equipment to a switch connected with the target internet of things equipment to obtain a flow characteristic analysis result; wherein the target flow characteristics are the number of packets, the average length of packets, the sequence of packet lengths, the duration of the flow, the number of bits per second of the flow in the target flow message; and carrying out equipment identification on the target internet of things equipment based on the flow characteristic analysis result so as to determine the equipment type of the target internet of things equipment.
In this embodiment, the obtaining, based on the flow sent by the target internet of things device to the switch connected to the target internet of things device, the device identification on the target internet of things device by using a preset device identification method to obtain a device identification result may include: determining flow fingerprint information and device fingerprint information of the target internet of things device based on a TCP (i.e. Transmission Control Protocol/Internet Protocol, transmission control protocol/internet protocol) message sent by the target internet of things device to a switch connected with the target internet of things device; the flow fingerprint information is a characteristic group for representing the flow characteristics of equipment and the category to which the flow characteristics belong, and the equipment fingerprint information is characteristic information for identifying the identity of the equipment of the target Internet of things; and matching the device fingerprint information and the flow fingerprint information with information in a preset fingerprint resource library to determine an information matching result of the target Internet of things device.
In a specific embodiment, the device fingerprint-based device identification method mainly determines a device fingerprint and a traffic fingerprint with identification degree from network traffic based on device information, such as IP (i.e. Internet Protocol, protocol of interconnection between networks), port, open service, http (i.e. HyperText Transfer Protocol, hypertext transfer protocol)/https (i.e. Hypertext Transfer Protocol Secure) response information, certificate information, data traffic and other information flows, wherein the traffic fingerprint is a feature set for characterizing traffic characteristics of a device and a class to which the device belongs, the device fingerprint is feature information for uniquely identifying identity of the device, and different internet of things devices, cloud platforms, application systems, system versions can have different features, including space-time features, handshake features, certificate features and the like. The fingerprint information of the specific flow protocol or the equipment can be constructed by combining the characteristics, and the equipment type of each piece of equipment is finally determined by fingerprint weight through methods of fingerprint matching, similarity measurement and the like, so that the identification and classification of the equipment of the Internet of things can be effectively realized.
Specifically, the method can generate a unique device fingerprint for each device, and the unique device fingerprint can be used as a unique identity identifier for network access of the device, and mainly can include IP, MAC (i.e. MEDIA ACCESS Control Address), device type, device model, device manufacturer, operating system, and the like. The device fingerprint can be obtained by various modes such as network scanning, SNMP (Simple Network Management Protocol ) try and passive monitoring, and the implementation process is as follows: 1. the ARP (i.e. Address Resolution Protocol, address resolution protocol) table entry of the gateway is read by adopting SNMP, and main fields in the table entry are as follows: IP address and MAC address; 2. the Telnet goes to a switch, and an IP address and an MAC address of a terminal are obtained through a show arm table; 3. side-hanging flow mirror analysis: analyzing a flow message, analyzing an MAC address from a network layer in the message, and analyzing an IP address from an IP layer; 4. NMAP assisted discovery: periodically scanning the IP in the IP section which is not found, triggering the terminal to send ARP or other protocol traffic through scanning, thereby enabling the gateway to generate ARP, and obtaining traffic by using a traffic probe; 5. the gateway configures a DHCP-relay, and forwards the message to a DHCP-server at the same time, the DHCP-server normally responds to the DHCP (i.e. Dynamic Host Configuration Protocol, dynamic host configuration protocol) message, and after receiving the DHCP message, extracts information such as MAC and the like from the message and supplements the information to the discovery of the terminal; 6. parsing userAgent (i.e., user agent) in the http message sent from the terminal; from which information such as the operating system version of the terminal can be parsed; 7. acquiring terminal identification information from an SMB (SERVER MESSAGE Block) protocol sent by a terminal: such as operating system information, etc.; 8. acquiring Option (12) Host Name-Host Name, option (60) Vendor CLASS IDENTIFIER-operating system manufacturer, option (55) PARAMETER REQUEST LIST-terminal fingerprint from the DHCP message sent by the terminal; 9. actively sending an NMAP scanning request to the terminal, and acquiring the device fingerprint information of the terminal from the returned information, including but not limited to: terminal name, operating system type, terminal application protocol, etc. In the above process, the information such as the IP address and MAC address of the terminal, the operating system information, the operating system version, the hostname, the operating system vendor, etc. may be used as the device fingerprint.
In the context of large-traffic and mass concurrent terminal transmission of the internet of things equipment, the accurate labeling of the internet of things equipment without any marks, especially for non-intelligent terminals such as front-end cameras, network printers, IP phones and the like, namely, dumb terminal equipment is a difficult problem.
In this embodiment, the obtaining, based on the flow sent by the target internet of things device to the switch connected to the target internet of things device, the device identification on the target internet of things device by using a preset device identification method to obtain a device identification result may include: acquiring target flow sent by a security module arranged in or at an end side of target internet of things equipment and based on the target flow sent by the target internet of things equipment, and marking equipment type information of the target internet of things equipment for the target internet of things equipment by using a preset flow sample knowledge base; and determining the equipment type of the target internet of things equipment based on the equipment type information.
It should be noted that, in a specific embodiment, the best device recognition effect is obtained by combining the three methods of the device recognition method based on the stream feature, the device recognition method based on the device fingerprint, and the device labeling and recognition method for the dumb terminal device.
Fig. 2 is a flowchart of a method for identifying a device based on a device fingerprint and a method for identifying a device based on a flow feature according to the present application, wherein a flow of a target internet of things device sent to a switch connected to the target internet of things device is first used as a detection sample, a TCP flow is extracted from the flow, an original feature (i.e., the device fingerprint, the flow fingerprint, and the flow feature) is determined from the TCP flow, a fingerprint feature (i.e., the device fingerprint and the flow fingerprint used in the device identification method based on the device fingerprint) is extracted from the original feature, a statistical feature (i.e., the flow feature used in the device identification method based on the flow feature) is extracted, and then the extracted fingerprint feature and the statistical feature are discriminated by using a predetermined artificial intelligent model, so as to obtain a device class outputted by the artificial intelligent model.
In the aspect of terminal security, the device identification method based on the stream features, the device identification method based on the device fingerprints and the device labeling and identification method for dumb terminal type devices can identify and solve the terminal identity problem, and the identity whitening of all the devices is realized. In this embodiment, multiple terminal identification modes are comprehensively applied, so that scanning and feature content acquisition of almost all IP devices can be effectively realized without using a client and an IP device built-in support technology, and thus the devices are identified and anchored.
Step S12: based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
In this embodiment, the performing network admission control on the target internet of things device by using a preset device admission policy based on the device identification result may include: if the information matching result of the target Internet of things equipment meets a preset matching condition, allowing the target Internet of things equipment to be accessed; and if the information matching result of the target Internet of things equipment does not meet the preset matching condition, blocking and alarming the target Internet of things equipment in real time.
The admission policy based on the device fingerprint in this embodiment corresponds to the device identification method based on the device fingerprint, and implements real-time handling and isolation for the access terminal based on the boundary-level hybrid access technology. And carrying out fingerprint identification on the access of the video monitoring equipment, and if the terminal fingerprint is consistent with the equipment fingerprint library information, allowing the front-end terminal to access, blocking and alarming the terminal with the incorrect fingerprint information in real time.
In this embodiment, the method for controlling network access of a device may further include: the national standard-based admission policy is configured as an admission policy based on the GB28181 and/or GB35114-2017 standards. The GB28181 is used as technical requirements for information transmission, exchange and control of public security video monitoring networking systems, and most public security video transmission network devices follow the standard to transmit and exchange information. The safety access control gateway is internally provided with a national standard protocol template, can identify whether IPC (i.e. Inter-Process Communication, inter-process communication) is accessed by GB28181 standard, and can alarm and block corresponding to a terminal which is accessed by national standard but does not transmit national standard data. GB35114 is used as a requirement of video monitoring networking video information and control information security guarantee, and is combined with an admission control mechanism, and in a video private network which is forcedly built according to the GB35114 standard, a security admission control gateway can perform real-time blocking and alarming on a terminal which does not accord with the GB35114 standard by performing depth identification on a registration message, a control message and a video stream message.
In this embodiment, the admission control policy based on switch linkage enables the 802.1x admission control function under the condition that the access switch has the 802.1x admission control function. The physical ports of the access switch device are classified into two categories, uncontrolled ports and controlled ports. When the terminal equipment is accessed to the network, after the 802.1x access control mechanism is started, the switch only forwards and receives the EAPOL (i.e. Extensible Authentication Protocol Over LAN, namely EAP Over Lan, extended authentication protocol based on local area network) authentication data frame, and after the access authentication is successful, the port of the access switch is identified as a controlled port, and the communication function is opened. Otherwise, the access port will keep uncontrolled state continuously, and not forward the service data.
In this embodiment, the access control policy based on ARP spoofing may implement a network access control function based on ARP interference in a pure two-layer switching environment. The logical vulnerability of the ARP protocol is utilized, the client devices which do not meet the security policy are subjected to ARP-like spoofing, false gateway MAC addresses are provided for the client devices, and network resources cannot be normally accessed by the client devices, so that the client devices which do not meet the security policy are limited to access the network.
In this embodiment, the automatic admission may also be performed by using an admission policy for a specified IP network segment, a specified terminal type. And meanwhile, terminal fingerprint binding checking is carried out, and a terminal which is not admitted by the admission policy is identified as a private access terminal. And the private/counterfeit terminal can perform traffic blocking or switch linkage blocking according to the blocking strategy. The data packet blocking can be directly carried out on the network traffic. And supporting the linkage of the SNMP protocol and the switch, configuring a MAC blocking list into the switch, and blocking the terminal from the access layer. By analyzing the flow mirrored by the core switch, if the fake and private terminals or the terminals are found to have abnormal behavior, the gateway can send tcp reset messages to cut off the connection between the terminals and the video system so as to achieve the blocking purpose. And the system can also be linked with a core switch to realize admission. If the fake, private or terminal is found to have abnormal behavior, the gateway issues a MAC address blacklist to the core switch, and the core switch does not allow the terminal corresponding to the MAC to forward the traffic.
In this embodiment, the obtaining, based on the flow sent by the target internet of things device to the switch connected to the target internet of things device, the device identification on the target internet of things device by using a preset device identification method to obtain a device identification result may include: and acquiring a target flow message sent by target terminal equipment to the switch by utilizing a bypass network flow analysis technology, and carrying out equipment identification on target Internet of things equipment by utilizing a preset equipment identification method based on the target flow message so as to acquire an equipment identification result. That is, in the present invention, the bypass network traffic analysis technology may be used to obtain the target traffic message sent by the target terminal device to the switch, so as to perform the device identification of the target terminal device by using the target traffic message.
The method comprises the steps that based on the flow sent by target internet of things equipment to a switch connected with the target internet of things equipment, equipment identification is carried out on the target internet of things equipment by means of a preset equipment identification method, and an equipment identification result is obtained; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment; based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing. The embodiment comprehensively applies a plurality of terminal identification modes, and can effectively realize the scanning and the characteristic content acquisition of almost all IP equipment under the condition that a client and an IP equipment built-in support technology are not passed, thereby identifying and anchoring the equipment. And combining with various device access policies to perform target internet of things device to perform converged network access control, the method has the protection capability of distinguishing legal terminals from illegal terminals based on device identity identifiers, effectively defends the damage caused by private access to the network, can prevent and block illegal (private access and impersonation), prevents the device from accessing the network to block network intrusion and illegal data access, and ensures the safety of the internet of things transmission network.
Fig. 3 is a flowchart of a specific device network access control method according to an embodiment of the present application. Referring to fig. 3, the method includes:
Step S21: analyzing target flow characteristics in a target flow message sent by the target internet of things equipment to a switch connected with the target internet of things equipment to obtain a flow characteristic analysis result; wherein the target flow is characterized by a number of packets in the target flow message, an average length of packets, a sequence of packet lengths, a duration of a flow, and bits per second of a flow.
In a specific embodiment, the flow characteristic of the original equipment flow is analyzed by the flow characteristic-based identification method, and the data packet statistics values such as the packet number, the packet average length, the packet length sequence and the like in the equipment flow, the flow statistics values such as the duration of the flow and the bit number per second of the flow can be used as the flow statistics characteristics.
Step S22: and carrying out equipment identification on the target internet of things equipment based on the flow characteristic analysis result so as to determine the equipment type of the target internet of things equipment.
Step S23: and judging whether the device type of the target internet of things device exists in a pre-established service white list.
Step S24: and if the device type of the target internet of things device exists in the pre-established service white list, allowing the target internet of things device to access the internet of things.
Step S25: and analyzing the target data sent after the target internet of things equipment is accessed to the internet of things one by one so as to determine the protocol characteristics of the target internet of things equipment.
Step S26: and matching the protocol characteristics of the target internet of things equipment with target protocol characteristics which are preset in the service white list and correspond to the equipment type of the target internet of things equipment.
Step S27: and if the protocol features of the target internet of things equipment are successfully matched with the target protocol features which are preset in the service white list and correspond to the equipment type of the target internet of things equipment, releasing the target data.
Step S28: if the protocol feature of the target internet of things equipment is not successfully matched with the target protocol feature corresponding to the equipment type of the target internet of things equipment, which is preset in the service white list, the target data is blocked in real time and the alarm is given out in real time.
In the embodiment, a terminal access control method integrating multiple access policies is provided, wherein the access policy based on equipment features corresponds to the equipment identification method based on flow features, a service white list is built based on access data protocol features, a protocol feature library of access services such as videos of main flow security and protection manufacturers is built in, manual expansion of the feature library is supported, data transmission management and control of the feature library white list built based on a service feature depth identification mechanism is realized, and only authorized terminals are allowed to access the internet of things. When the terminal is connected to the Internet of things, the data are subjected to packet-by-packet protocol feature analysis and matched with a protocol feature white list, if the white list is successfully matched, the data are released, and if the white list is failed to be matched, the data are blocked in real time, and real-time warning is performed. The service feature depth identification refers to real-time analysis of the data flow through the gateway. The depth identification accords with the video services of private security protocols, GB28181, onvif, GB35114, GA/T1400 and other standards of various large manufacturers, only allows the equipment for transmitting legal video services to access the network, blocks illegal service traffic (such as a video terminal sends FTP (FileTransferProtocol, file transfer protocol), scan (scanning), database connection request and the like) in real time and gives an alarm, and further realizes the deep protection of the video private network on the basis of legal admission of the terminal.
Referring to fig. 4, the embodiment of the application discloses a device network access control device, which specifically may include:
The device identification module 11 is configured to identify, based on a flow sent by a target internet of things device to a switch connected to the target internet of things device, a device of the target internet of things device by using a preset device identification method, so as to obtain a device identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
An admission control module 12, configured to perform network admission control on the target internet of things device by using a preset device admission policy based on the device identification result; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
Further, the embodiment of the present application further discloses an electronic device, and fig. 5 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a display screen 24, an input-output interface 25, a communication interface 26, and a communication bus 27. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the device access control method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 26 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not limited herein in detail; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, virtual machine data 223, and the virtual machine data 223 may include various data. The storage means may be a temporary storage or a permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the device networking control method performed by the electronic device 20 disclosed in any of the previous embodiments.
Further, the present application also discloses a computer readable storage medium, where the computer readable storage medium includes random access Memory (Random Access Memory, RAM), memory, read-Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, magnetic disk, or optical disk or any other form of storage medium known in the art. Wherein the computer program when executed by the processor implements the device networking control method disclosed above. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the storage medium for controlling the network access of the equipment provided by the invention are described in detail, and specific examples are applied to the principle and the implementation mode of the invention, and the description of the above examples is only used for helping to understand the method and the core idea of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. A method for controlling network access of a device, comprising:
based on the flow sent by target internet of things equipment to a switch connected with the target internet of things equipment, carrying out equipment identification on the target internet of things equipment by using a preset equipment identification method so as to obtain an equipment identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
Based on the device identification result, performing network access control on the target internet of things device by utilizing a preset device access policy; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
2. The device network access control method according to claim 1, wherein the step of performing device identification on the target internet of things device by using a preset device identification method based on the flow sent by the target internet of things device to the switch connected with the target internet of things device to obtain a device identification result includes:
analyzing target flow characteristics in a target flow message sent by the target internet of things equipment to a switch connected with the target internet of things equipment to obtain a flow characteristic analysis result; wherein the target flow characteristics are the number of packets, the average length of packets, the sequence of packet lengths, the duration of the flow, the number of bits per second of the flow in the target flow message;
and carrying out equipment identification on the target internet of things equipment based on the flow characteristic analysis result so as to determine the equipment type of the target internet of things equipment.
3. The device network access control method according to claim 1, wherein the step of performing device identification on the target internet of things device by using a preset device identification method based on the flow sent by the target internet of things device to the switch connected with the target internet of things device to obtain a device identification result includes:
Determining flow fingerprint information and device fingerprint information of the target internet of things device based on a TCP message sent by the target internet of things device to a switch connected with the target internet of things device; the flow fingerprint information is a characteristic group for representing the flow characteristics of equipment and the category to which the flow characteristics belong, and the equipment fingerprint information is characteristic information for identifying the identity of the equipment of the target Internet of things;
And matching the device fingerprint information and the flow fingerprint information with information in a preset fingerprint resource library to determine an information matching result of the target Internet of things device.
4. The device network access control method according to claim 1, wherein the step of performing device identification on the target internet of things device by using a preset device identification method based on the flow sent by the target internet of things device to the switch connected with the target internet of things device to obtain a device identification result includes:
Acquiring target flow sent by a security module arranged in or at an end side of target internet of things equipment and based on the target flow sent by the target internet of things equipment, and marking equipment type information of the target internet of things equipment for the target internet of things equipment by using a preset flow sample knowledge base;
and determining the equipment type of the target internet of things equipment based on the equipment type information.
5. The device network access control method according to claim 2, wherein the performing network access control on the target internet of things device by using a preset device access policy based on the device identification result includes:
judging whether the device type of the target internet of things device exists in a pre-established service white list or not;
If the device type of the target internet of things device exists in the pre-established service white list, allowing the target internet of things device to access the internet of things;
Analyzing the target data sent after the target internet of things equipment is accessed to the internet of things one by one to determine the protocol characteristics of the target internet of things equipment;
Matching the protocol characteristics of the target internet of things equipment with target protocol characteristics which are preset in the service white list and correspond to the equipment type of the target internet of things equipment;
If the protocol features of the target internet of things equipment are successfully matched with the target protocol features which are preset in the service white list and correspond to the equipment type of the target internet of things equipment, the target data are released;
If the protocol feature of the target internet of things equipment is not successfully matched with the target protocol feature corresponding to the equipment type of the target internet of things equipment, which is preset in the service white list, the target data is blocked in real time and the alarm is given out in real time.
6. The device network access control method according to claim 1, characterized by further comprising:
The national standard-based admission policy is configured as an admission policy based on the GB28181 and/or GB35114-2017 standards.
7. The device network access control method according to any one of claims 1 to 6, wherein the obtaining the device identification result based on the traffic sent by the target internet of things device to the switch connected to the target internet of things device and using the preset device identification method to identify the target internet of things device includes:
And acquiring a target flow message sent by target terminal equipment to the switch by utilizing a bypass network flow analysis technology, and carrying out equipment identification on target Internet of things equipment by utilizing a preset equipment identification method based on the target flow message so as to acquire an equipment identification result.
8. A device network access control apparatus, comprising:
The device identification module is used for carrying out device identification on the target internet of things device by utilizing a preset device identification method based on the flow sent by the target internet of things device to a switch connected with the target internet of things device so as to obtain a device identification result; the preset equipment identification method comprises any one or a combination of a plurality of equipment identification method based on stream characteristics, equipment identification method based on equipment fingerprints and equipment labeling and identification methods for dumb terminal equipment;
The admission control module is used for carrying out network admission control on the target Internet of things equipment by utilizing a preset equipment admission strategy based on the equipment identification result; the preset equipment access policy comprises any one or more of an access policy based on equipment characteristics, an access policy based on equipment fingerprints, an access policy based on national standards, an access control policy based on switch linkage and an access control policy based on ARP spoofing.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the device access control method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program, when executed by a processor, implements the device access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310088291.3A CN117938413A (en) | 2023-01-16 | 2023-01-16 | Equipment network access control method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310088291.3A CN117938413A (en) | 2023-01-16 | 2023-01-16 | Equipment network access control method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117938413A true CN117938413A (en) | 2024-04-26 |
Family
ID=90767158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310088291.3A Pending CN117938413A (en) | 2023-01-16 | 2023-01-16 | Equipment network access control method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938413A (en) |
-
2023
- 2023-01-16 CN CN202310088291.3A patent/CN117938413A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9584487B2 (en) | Methods, systems, and computer program products for determining an originator of a network packet using biometric information | |
| Sivanathan et al. | Can we classify an iot device using tcp port scan? | |
| US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
| US7761918B2 (en) | System and method for scanning a network | |
| KR100502068B1 (en) | Security engine management apparatus and method in network nodes | |
| Deri et al. | Effective traffic measurement using ntop | |
| WO2010031288A1 (en) | Botnet inspection method and system | |
| EP1842389B1 (en) | Method, device and programme for detecting IP spoofing in a wireless network | |
| US20130191901A1 (en) | Security actions based on client identity databases | |
| BR102019020060A2 (en) | method for detecting access point characteristics using machine learning | |
| CN110611682A (en) | Network access system, network access method and related equipment | |
| Deraison et al. | Passive vulnerability scanning: Introduction to NeVO | |
| CN112491888A (en) | Method and system for preventing equipment from being falsely used | |
| CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
| US8724506B2 (en) | Detecting double attachment between a wired network and at least one wireless network | |
| CN111565196B (en) | KNXnet/IP protocol intrusion detection method, device, equipment and medium | |
| CN111405548B (en) | Fishing wifi detection method and device | |
| Anmulwar et al. | Rogue access point detection methods: A review | |
| WO2006087473A1 (en) | Method, device and program for detection of address spoofing in a wireless network | |
| CN117938413A (en) | Equipment network access control method, device, equipment and medium | |
| CN114629725A (en) | User domain dumb terminal management method, device, system and storage medium | |
| CN115499179A (en) | Method for detecting DoH tunnel flow in backbone network | |
| KR100906389B1 (en) | System, Server and Method for Analyzing Integrated Authentication-Logs based on ?????? | |
| CN105915565B (en) | Authentication method, device and system | |
| Zhu et al. | WND-Identifier: Automated and Efficient Identification of Wireless Network Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |