WO2020042773A1 - 安全检测方法、设备及装置 - Google Patents

安全检测方法、设备及装置 Download PDF

Info

Publication number
WO2020042773A1
WO2020042773A1 PCT/CN2019/095522 CN2019095522W WO2020042773A1 WO 2020042773 A1 WO2020042773 A1 WO 2020042773A1 CN 2019095522 W CN2019095522 W CN 2019095522W WO 2020042773 A1 WO2020042773 A1 WO 2020042773A1
Authority
WO
WIPO (PCT)
Prior art keywords
iot terminal
iot
target operating
characteristic
terminal
Prior art date
Application number
PCT/CN2019/095522
Other languages
English (en)
French (fr)
Inventor
赵豪
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Priority to SG11202010201UA priority Critical patent/SG11202010201UA/en
Priority to EP19854829.9A priority patent/EP3820108B1/en
Publication of WO2020042773A1 publication Critical patent/WO2020042773A1/zh
Priority to US17/082,813 priority patent/US11201886B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]

Definitions

  • This specification relates to the field of safety technology, and more particularly to safety detection methods, equipment, and devices.
  • IoT Internet of Things
  • routers home cameras
  • smart watches smart bracelets
  • IoT terminals do not have complex security detection functions. Therefore, how to ensure the security of IoT terminals has become an urgent technical problem to be solved.
  • this specification provides a safety detection method, equipment and device.
  • a security detection device configured to detect an IoT terminal in an IoT network.
  • the security detection device includes:
  • Software radio unit used to monitor wireless signals sent by the IoT terminal, and obtain communication messages
  • the analysis unit is configured to determine a target operating characteristic of the IoT terminal by using the communication message, and compare the target operating characteristic with a historical normal operating characteristic of the IoT terminal to determine whether the IoT terminal is operating abnormally.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following:
  • characteristics of a change in the number of IoT terminals in the IoT network characteristics of a receiver of communication packets of the IoT terminal, characteristics of packet traffic changes of the IoT terminal, and online / offline time of the IoT terminal Feature or service feature of the IoT terminal.
  • the determining a target operating characteristic of the IoT terminal by using the communication message includes:
  • the verification code in the communication message fails to be verified by using the verification rule specified by the predetermined communication protocol, the verification code is successfully parsed by using a private rule to determine the target operating characteristics of the IoT terminal including transmitting a hidden message. Text.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following attack characteristics:
  • Attack command characteristics set attack behavior characteristics, or interference signal characteristics.
  • the hardware capability / computing capability of the IoT terminal is lower than a set parameter.
  • a security detection method includes:
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following:
  • characteristics of a change in the number of IoT terminals in the IoT network characteristics of a receiver of communication packets of the IoT terminal, characteristics of packet traffic changes of the IoT terminal, and online / offline time of the IoT terminal Feature or service feature of the IoT terminal.
  • the determining a target operating characteristic of the IoT terminal by using the communication message includes:
  • the verification code in the communication message fails to be verified by using the verification rule specified by the predetermined communication protocol, the verification code is successfully parsed by using a private rule to determine the target operating characteristics of the IoT terminal including transmitting a hidden message. Text.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following attack characteristics:
  • Attack command characteristics set attack behavior characteristics, or interference signal characteristics.
  • the hardware capability / computing capability of the IoT terminal is lower than a set parameter.
  • a security detection device including:
  • An obtaining module configured to obtain a communication message of the IoT terminal, where the communication message is obtained by monitoring a wireless signal sent by the IoT terminal using software radio technology;
  • a determining module is configured to determine a target operating characteristic of the IoT terminal by using the communication message, and compare the target operating characteristic and a historical normal operating characteristic of the IoT terminal to determine whether the IoT terminal is operating abnormally.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following:
  • characteristics of a change in the number of IoT terminals in the IoT network characteristics of a receiver of communication packets of the IoT terminal, characteristics of packet traffic changes of the IoT terminal, and online / offline time of the IoT terminal Feature or service feature of the IoT terminal.
  • the determining module is further configured to:
  • the verification code in the communication message fails to be verified by using the verification rule specified by the predetermined communication protocol, the verification code is successfully parsed by using a private rule to determine the target operating characteristics of the IoT terminal including transmitting a hidden message. Text.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following attack characteristics:
  • Attack command characteristics set attack behavior characteristics, or interference signal characteristics.
  • the hardware capability / computing capability of the IoT terminal is lower than a set parameter.
  • a security detection device which includes a software radio processor, a memory, a main processor, and a computer program stored in the memory and executable on the main processor, wherein the main When the processor executes the program, the following method is implemented:
  • a security detection device may be placed in an IoT network.
  • An IoT terminal in the IoT network transmits data through wireless technology.
  • the security detection device includes a software radio unit, so it can monitor all wireless signals under wireless coverage.
  • This embodiment uses the security detection device to perform security detection on the IoT terminal in the IoT network, and has no contact, no intrusion, and no dependence on the detection capability of the IoT terminal; and, by acquiring the target operating characteristics of the IoT terminal, combining history with normal The operating characteristics can discover whether the IoT terminal is operating abnormally, and realize the security detection of the IoT terminal.
  • Fig. 1A is a schematic diagram of an IoT network according to an exemplary embodiment of the present specification.
  • Fig. 1B is a schematic diagram illustrating an IoT network system according to an exemplary embodiment of the present specification.
  • Fig. 1C is a block diagram of a security detection device according to an exemplary embodiment of the present specification.
  • Fig. 2 is a flowchart of a security detection method according to an exemplary embodiment of the present specification.
  • FIG. 3 is a hardware structural diagram of a device in which a safety detection device according to an embodiment of the present specification is located.
  • Fig. 4 is a block diagram of a security detection device according to an exemplary embodiment of the present specification.
  • first, second, third, etc. may be used in this specification to describe various information, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information.
  • word “if” as used herein can be interpreted as “at” or "when” or "in response to determination”.
  • FIG. 1A it is a schematic diagram of an IoT network shown in this specification according to an exemplary embodiment, including a plurality of IoT terminals, an IoT network controller, and an external attacker device.
  • the external attacker device is IoT terminals to attack.
  • the embodiment shown in FIG. 1A is illustrated by using a smart home scenario as an example. In actual applications, the IoT network is also widely used in smart industrial control scenarios or unmanned retail scenarios.
  • IoT terminals The manufacturers of IoT terminals are complex and may not have the ability and motivation to conduct security-related investment research. Some IoT terminals do not even have security detection functions. Even with the security detection function, since the running code built into the IoT terminal is pre-burned, it is not possible to flexibly update the attack detection logic. Due to the low power consumption characteristics of IoT terminals, the computing capabilities of IoT terminals are usually weak and cannot withstand additional complex security detection logic, so the security detection functions are usually weak, and a large part of IoT terminal attacks are at the level of communication protocols. It also brings great difficulties to security detection.
  • the embodiment of this specification proposes a solution for configuring a control device in the IoT network, and the IoT control device implements security detection for each IoT terminal.
  • the IoT control device implements security detection for each IoT terminal.
  • different IoT terminals may use different communication protocols, but most of them communicate through wireless signals, and most attacks on IoT terminals also attack through wireless channels.
  • FIG. 1B it is a schematic diagram of an IoT network shown in this specification according to an exemplary embodiment.
  • an additional security detection device is added to the IoT network.
  • the security detection device can detect the IoT in the IoT network.
  • the terminal performs security detection, so there is no contact or intrusion into the IoT terminal, and there is no need to rely on the detection capability of the IoT terminal itself.
  • the security detection device can also be implemented by an existing device in the IoT network, but the device can be understood as providing an additional security detection function for the IoT terminal of the original IoT network.
  • FIG. 1C it is a block diagram of a security detection device shown in this specification according to an exemplary embodiment, including:
  • the software radio unit 101 is configured to: monitor a wireless signal sent by the IoT terminal, and obtain a communication message;
  • the analysis unit 102 is configured to use the communication message to determine a target operating characteristic of the IoT terminal, compare the target operating characteristic with a historical normal operating characteristic of the IoT terminal, and determine whether the IoT terminal is operating abnormally.
  • the solution proposed in this embodiment is to add a security detection device for detecting an IoT terminal in an IoT network.
  • the IoT terminal in the IoT network will emit a wireless signal.
  • the security detection device listens. For all wireless signals, check whether the IoT terminal is abnormal through the monitored wireless signals.
  • the security detection device includes a software radio unit.
  • a broadband software radio tool such as USRP (Universal Software Radio, Universal Software Radio Peripheral), LimeSDR (Software Defined Radio) can be used.
  • the function of the radio unit is to sniff the wireless signals at all wireless frequencies in the entire security protection area, and to split and clean the wireless signals that are sniffed to restore the communication messages corresponding to the communication protocols used by each IoT terminal.
  • the communication protocols used by IoT terminals mainly include Wi-Fi protocol, Bluetooth protocol or Zigbee protocol, etc. Therefore, the communication messages of all IoT terminals in the IoT network and the communication messages sent by the attacker will be collected and cleaned by this unit.
  • the software radio unit can obtain the communication messages sent by different IoT terminals, and can also The communication protocol used is distinguished.
  • the software radio unit's acquisition result of the communication message can be output to the analysis unit, and the analysis unit can use the communication message to determine the target operating characteristics of the IoT terminal, and compare the target operating characteristics with the historical normal operation of the IoT terminal Characteristics to determine whether the IoT terminal is operating abnormally.
  • the historical normal operating characteristics of the IoT terminal can be analyzed in advance. The purpose of the analysis is to determine under what circumstances the IoT terminal is operating normally, and to monitor whether the IoT terminal is operating abnormally based on the historical normal operating characteristics.
  • the historical and normal operating characteristics of the IoT terminal can be implemented in various ways. As an example, it can continuously monitor the operating data of each IoT terminal in the IoT network within a certain time range (the IoT terminal needs to be in a normal operating state), Based on these operating data, analyze the normal operating characteristics of the IoT terminal.
  • the logs of the IoT terminal can be obtained for analysis, or the test data of the IoT terminal provided by the manufacturer of the IoT terminal can be further combined; or the historical normal operation data of other IoT terminals can be obtained through other channels. It is also obtained by analyzing the correlation between the IoT terminal to be monitored and the other terminals.
  • the historical normal operating characteristics of the IoT terminal may include a change characteristic of the number of IoT terminals in the IoT network, and the quantity change characteristic indicates a change in the number of IoT terminals in the IoT network under normal circumstances, and may include, for example, from 10 pm to 8 am
  • the number of IoT terminals usually does not change. In some time periods, such as during the day, the number of IoT terminals usually decreases (for example, the number of smart bracelets worn by users goes offline and decreases).
  • some IoT terminals may have a fixed online or offline time.
  • a smart bracelet is worn on the user. The user is usually not at home for a certain period of time, so such terminals have fixed Online or offline time. Therefore, the historical normal operating characteristics of the IoT terminal may further include: the time characteristics of the IoT terminal going online / offline, and whether the IoT terminal is operating abnormally can be determined based on the online or offline time of the IoT terminal.
  • the communication message of the IoT terminal may be sent to a certain IoT terminal.
  • the communication message of the camera is usually sent to the router, and the communication message of the smart bracelet is usually sent to the smartphone.
  • the IoT terminal may operate abnormally. Therefore, the historical normal operating characteristics of the IoT terminal may also include the characteristics of the receiver of the communication packets of the IoT terminal.
  • the packet traffic of IoT terminals in the IoT network is usually stable.
  • each IoT The communication traffic of the terminal is usually low, and there is no frequent communication; for example, the traffic of an IoT terminal is relatively stable at each time of day. If it is attacked, frequent communication messages may appear. Given the situation of the attacker's device, it is possible to analyze the characteristics of packet traffic changes by counting the traffic between each IoT terminal.
  • the communication packets sent by the IoT terminal carry data. These data may be processed by the custom rules of the IoT terminal manufacturer (such as some encryption algorithms, etc.). In actual applications, the custom rules and data of all IoT terminal manufacturers may not be known. The actual business meaning may not be parsed.
  • the above embodiments use the historical normal operating characteristics of the IoT terminal. These historical normal operating characteristics involve changes in the number of communication packets and changes in traffic, and do not involve the specific business meaning in the data. The data in the message is analyzed at the service level, so it can be applied to all IoT terminals.
  • the data in the communication message sent by the IoT terminal can also be formatted It is data with business meaning.
  • the business feature of the smart bracelet is to send a response result message after receiving the instruction of the associated device, Or it can transmit data such as the number of steps and heart rate collected by the bracelet. If the smart bracelet is found to send the device information of the associated device out, the smart bracelet may operate abnormally.
  • the security detection device can also directly communicate with the IoT terminal.
  • Some IoT terminals have a security detection function that can detect whether they have been attacked.
  • the IoT terminal can inform the security detection device of the attack information or transmit some data.
  • how to inform the security detection device after the IoT terminal finds that it has been attacked becomes a problem, because the entire IoT terminal has been controlled by the attacker, and the data transmitted to the security detection device may be perceived by the attacker.
  • this embodiment provides a solution from a communication protocol.
  • the two communication parties transmit data-bearing messages in accordance with a communication protocol.
  • a communication protocol is a series of rules agreed to ensure that the two communication parties can communicate effectively and reliably in a data communication network. These rules include message format, sequence or rate, acknowledgement or rejection of data transmission, error detection, retransmission control or inquiry, etc.
  • the message includes a check code field for checking whether the message is wrong.
  • the verification process may be: the communication sender uses a verification rule specified by a predetermined communication protocol to calculate a verification code for the transmitted data; the communication receiver receives the message, and uses the verification rule to calculate a verification for the data in the message Check whether the calculated check code matches the check code in the message.
  • the check code in a communication message is generated using a check rule of a predetermined communication protocol. Therefore, the historical normal operating characteristics may include: the check code in the communication message uses a check rule of a predetermined communication protocol. generate. Considering that after the IoT terminal is controlled by the attacker, in order to realize the secret transmission of data, the IoT terminal in this embodiment can modify the check code field. Unlike the verification rules specified by the communication protocol, this embodiment uses private rules to generate the calibration. Check code. Among them, the private rules are different from the verification rules stipulated by the communication protocol. The specific implementation of the private rules can be flexibly configured in actual applications, so that the verification code generated by the private rules and the verification rules generated by the communication protocol are used.
  • the check codes are different; fields other than the check codes in the communication message are generated using the original predetermined communication protocol.
  • the private rule may be: a check code is used to generate a check code and then modified, for example, the check code generated according to the check rule may be used for other conversions.
  • a character conversion relationship may be set. Convert the check code generated according to the check rules to other characters.
  • the private rule may be to encrypt the alarm data by using a preset key, and generate a verification code for the encrypted data according to the verification rule.
  • the IoT terminal and the security detection device may agree on a secret in advance.
  • the process of generating the check code you can first use the preset key to encrypt the alarm data (the specific encryption algorithm can be flexibly configured), and then encrypt the data according to the check rules The data generates a check code. In this way, not only the transformation of the check code is realized, but also the security detection equipment can use the check code to check whether the data is wrong. As for the attacker's device, it will think that it received an erroneous message without being aware of the alarm data sent by the IoT terminal. For the IoT control device, the private data can be used to parse out the alarm data in the message, so as to realize the secret transmission of the alarm data.
  • the security detection device can receive various types of packets sent by the IoT terminal. These packets include normal packets and also the packets transmitted secretly in the foregoing embodiment.
  • the security detection device needs to identify the packets.
  • the security detection device uses the verification rules specified by the communication protocol to verify the check code in the message; for the message used for alarm, the check code is Retrofit, so the verification will fail.
  • the security detection device may parse the verification code by using a private rule. If the parsing is successful, it may be determined that the IoT terminal has sent a secret message, so the IoT terminal is determined.
  • the target operating characteristics include transmitting a hidden message, and then obtaining the hidden data in the message.
  • the security detection device can know that the IoT terminal may be attacked. Further, the security detection device can check and block the attack behavior.
  • the characteristics related to the attack may also be collected in advance.
  • the communication message sent by the attacker device to the IoT terminal may include an attack instruction, such as a Deauth attack instruction in the WiFi protocol, so the characteristics of the attack instruction may be determined according to the attack instruction.
  • the attacks may include replay attacks, denial-of-service attacks, password blast attacks, etc., and the characteristics of such attacks on wireless signals may be obtained as the characteristics of the set attack behavior.
  • the attacker device may send interference signals to interfere with the signal transmission of each IoT terminal in the IoT network.
  • the interference methods may include co-frequency interference, adjacent channel interference, out-of-band interference, intermodulation interference, and blocking interference. , So you can determine the characteristics of the interference signal.
  • the IoT terminal may have a target operating characteristic that does not match the historical normal operating characteristic, or it may be There are a variety of target operating characteristics that do not match historical normal operating characteristics.
  • the analysis unit can summarize, analyze, and make decisions. The final analysis results can also be sent to the service side.
  • FIG. 2 is a flowchart of a security detection method according to an exemplary embodiment. Can be applied to the security detection device shown in FIG. 1B, including the following steps:
  • step 202 a communication message of the IoT terminal is acquired, and the communication message is obtained by monitoring a wireless signal sent by the IoT terminal using software radio technology;
  • a target operating characteristic of the IoT terminal is determined using the communication message, and the target operating characteristic is compared with a historical normal operating characteristic of the IoT terminal to determine whether the IoT terminal is operating abnormally.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following:
  • characteristics of a change in the number of IoT terminals in the IoT network characteristics of a receiver of communication packets of the IoT terminal, characteristics of packet traffic changes of the IoT terminal, and online / offline time of the IoT terminal Feature or service feature of the IoT terminal.
  • the determining a target operating characteristic of the IoT terminal by using the communication message includes:
  • the verification code in the communication message fails to be verified by using the verification rule specified by the predetermined communication protocol, the verification code is successfully parsed by using a private rule to determine the target operating characteristics of the IoT terminal including transmitting a hidden message. Text.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following attack characteristics:
  • Attack command characteristics set attack behavior characteristics, or interference signal characteristics.
  • the hardware capability / computing capability of the IoT terminal is lower than a set parameter.
  • this specification also provides embodiments of the safety detection device and the equipment to which it is applied.
  • the embodiments of the safety detection device of this specification can be applied to electronic equipment.
  • the device embodiments may be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in a logical sense, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the main processor.
  • FIG. 3 it is a hardware structure diagram of the device where the security detection device according to the embodiment of the present specification is applied, except for the software radio processor 300, the main processor 310, the memory 330, and the network shown in FIG.
  • the electronic device in which the device 331 is located in the embodiment may generally include other hardware according to the actual function of the device, and details are not described herein again.
  • FIG. 4 is a block diagram of a security detection device according to an exemplary embodiment of the present specification.
  • the device includes:
  • the obtaining module 41 is configured to obtain a communication message of an IoT terminal, where the communication message is obtained by monitoring a wireless signal sent by the IoT terminal using software radio technology;
  • a determining module 42 is configured to: use the communication message to determine a target operating characteristic of the IoT terminal, compare the target operating characteristic with a historical normal operating characteristic of the IoT terminal, and determine whether the IoT terminal is operating abnormally.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following:
  • characteristics of a change in the number of IoT terminals in the IoT network characteristics of a receiver of communication packets of the IoT terminal, characteristics of packet traffic changes of the IoT terminal, and online / offline time of the IoT terminal Feature or service feature of the IoT terminal.
  • the determining module is further configured to:
  • the verification code in the communication message fails to be verified by using the verification rule specified by the predetermined communication protocol, the verification code is successfully parsed by using a private rule to determine the target operating characteristics of the IoT terminal including transmitting a hidden message. Text.
  • the target operating characteristics / the historical normal operating characteristics include one or more of the following attack characteristics:
  • Attack command characteristics set attack behavior characteristics, or interference signal characteristics.
  • the hardware capability / computing capability of the IoT terminal is lower than a set parameter.
  • this specification also provides a security detection device, including a software radio processor, a memory, a main processor, and a computer program stored in the memory and executable on the main processor, wherein the main processor executes all Implement the following methods when describing the program:
  • the device embodiments described above are only schematic, and the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be It is not a physical module, it can be located in one place, or it can be distributed to multiple network modules. Some or all of these modules can be selected according to actual needs to achieve the purpose of the solution in this specification. Those of ordinary skill in the art can understand and implement without creative efforts.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Development Economics (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)
  • Alarm Systems (AREA)

Abstract

本说明书提供一种安全检测方法、设备及装置,安全检测设备可放置于IoT网络中,IoT网络中的IoT终端通过无线技术传输数据,该安全检测设备中包括有软件无线电单元,因此可以监听无线覆盖范围下的所有无线信号,从而获取到IoT终端的通信报文。本实施例利用该安全检测设备对IoT网络中的IoT终端进行安全检测,对IoT终端无接触无侵入、不依赖IoT终端自身的检测能力;并且,通过获取IoT终端的目标运行特征,结合历史正常运行特征可以发现IoT终端是否异常运行,实现对IoT终端的安全检测。

Description

安全检测方法、设备及装置 技术领域
本说明书涉及安全技术领域,尤其涉及安全检测方法、设备及装置。
背景技术
目前,IoT(Internet of things,物联网)设备如路由器、家用摄像头、智能手表或智能手环等,在人们工作或生活中的重要性越来越大,然而,对IoT终端的攻击研究和尝试也越来越火热,IoT终端的低功耗特点等原因决定了IoT终端不具备复杂的安全检测功能,因此,如何保障IoT终端的安全成为亟待解决的技术问题。
发明内容
为克服相关技术中存在的问题,本说明书提供了安全检测方法、设备及装置。
根据本说明书实施例的第一方面,提供一种安全检测设备,所述安全检测设备用于检测IoT网络中的IoT终端,所述安全检测设备包括:
软件无线电单元:用于监听所述IoT终端发出的无线信号,获取通信报文;
分析单元,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
可选的,所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
可选的,所述利用所述通信报文确定所述IoT终端的目标运行特征,包括:
利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
攻击指令特征、设定攻击行为特征或干扰信号特征。
可选的,所述IoT终端的硬件能力/计算能力低于设定参数。
根据本说明书实施例的第二方面,提供一种安全检测方法,所述方法包括:
获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
可选的,所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
可选的,所述利用所述通信报文确定所述IoT终端的目标运行特征,包括:
利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
攻击指令特征、设定攻击行为特征或干扰信号特征。
可选的,所述IoT终端的硬件能力/计算能力低于设定参数。
根据本说明书实施例的第三方面,提供一种安全检测装置,所述装置包括:
获取模块,用于:获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
确定模块,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
可选的,所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
可选的,所述确定模块,还用于:
利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私 有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
攻击指令特征、设定攻击行为特征或干扰信号特征。
可选的,所述IoT终端的硬件能力/计算能力低于设定参数。
根据本说明书实施例的第四方面,提供一种安全检测设备,包括软件无线电处理器、存储器、主处理器及存储在存储器上并可在主处理器上运行的计算机程序,其中,所述主处理器执行所述程序时实现如下方法:
获取IoT终端的通信报文,所述通信报文利用所述软件无线电处理器监听所述IoT终端发出的无线信号而获取得到;
利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
本说明书的实施例提供的技术方案可以包括以下有益效果:
本说明书实施例中,安全检测设备可放置于IoT网络中,IoT网络中的IoT终端通过无线技术传输数据,该安全检测设备中包括有软件无线电单元,因此可以监听无线覆盖范围下的所有无线信号,从而获取到IoT终端的通信报文。本实施例利用该安全检测设备对IoT网络中的IoT终端进行安全检测,对IoT终端无接触无侵入、不依赖IoT终端自身的检测能力;并且,通过获取IoT终端的目标运行特征,结合历史正常运行特征可以发现IoT终端是否异常运行,实现对IoT终端的安全检测。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本说明书。
附图说明
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本说明书的实施例,并与说明书一起用于解释本说明书的原理。
图1A是本说明书根据一示例性实施例示出的一种IoT网络示意图。
图1B是本说明书根据一示例性实施例示出的一种IoT网络系统的示意图。
图1C是本说明书根据一示例性实施例示出的一种安全检测设备的框图。
图2是本说明书根据一示例性实施例示出的一种安全检测方法的流程图。
图3是本说明书实施例安全检测装置所在设备的一种硬件结构图。
图4是本说明书根据一示例性实施例示出的一种安全检测装置的框图。
具体实施方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书的一些方面相一致的装置和方法的例子。
在本说明书使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书。在本说明书和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本说明书可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
如图1A所示,是本说明书根据一示例性实施例示出的一种IoT网络示意图,包括多个IoT终端、IoT网络总控和外部的攻击方设备,其中,外部的攻击方设备正在对两个IoT终端进行攻击。其中,图1A所示实施例以智能家居场景为例进行示意,实际应用中,IoT网络还广泛应用于智能工控场景或无人零售等场景中。
IoT终端的厂商复杂,可能没有能力和动力进行安全相关的投入研究,一些IoT终端甚至不具备安全检测功能。即使具备安全检测功能,由于IoT终端内置的运行代码都是预先烧制的,因此也无法灵活更新攻击检测逻辑。由于IoT终端的低功耗特点,IoT终端的计算能力通常较弱,无法承受额外复杂安全检测逻辑,因此安全检测功能通常都较弱,而IoT终端的攻击有很大部分是发在通信协议层面,也给安全检测带来很大困难。
基于此,考虑到在IoT终端本身实现安全检测功能较为困难,本说明书实施例提出了在IoT网络配置控制设备的方案,由IoT控制设备实现对各个IoT终端的安全检测。 在IoT网络中,不同的IoT终端可能使用不同的通信协议,但大部分都是通过无线信号进行通信,大部分对IoT终端的攻击,也是通过无线信道进行攻击的。
如图1B所示,是本说明书根据一示例性实施例示出的一种IoT网络的示意图,本实施例在IoT网络中额外新增一安全检测设备,该安全检测设备可以对IoT网络中的IoT终端进行安全检测,因此对IoT终端无接触无侵入、不需要依赖IoT终端自身的检测能力。当然,在其他例子中,安全检测设备也可以采用IoT网络中的原有的某个设备实现,但该设备可以理解为,为原有IoT网络的IoT终端额外提供了新的安全检测功能。
如图1C所示,是本说明书根据一示例性实施例示出的一种安全检测设备的框图,包括:
软件无线电单元101,用于:监听所述IoT终端发出的无线信号,获取通信报文;
分析单元102,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
作为被攻击的IoT终端,一些惯用的安全检测方案是从IoT终端本身进行改进,使IoT终端提高安全防护能力。由于IoT终端自身的局限性,这些IoT终端本身的安全检测能力较弱,也可以理解为IoT终端的硬件能力/计算能力低于设定参数。本实施例提出的方案是新增一安全检测设备,用于检测IoT网络中的IoT终端,IoT网络中的IoT终端会发出无线信号,在该安全检测设备的无线覆盖范围内,安全检测设备监听所有无线信号,通过所监听的无线信号来发现IoT终端是否异常。
本实施例中,安全检测设备中包括有软件无线电单元,具体实现可以采用宽频软件无线电工具,如USRP(Universal Software Radio Peripheral,通用软件无线电外设)、LimeSDR(Software Defined Radio,软件无线电),软件无线电单元的功能是嗅探整个安全防护区域内的所有无线频率下的无线信号,并且将嗅探到的无线信号进行拆分清洗,还原成各个IoT终端所使用的通信协议对应的通信报文,IoT终端所使用的通信协议主要包括Wi-Fi协议、蓝牙协议或Zigbee协议等等。因此,IoT网络中所有IoT终端的通信报文和攻击方发出的通信报文都会被该单元采集并清洗,软件无线电单元可以获取到各个不同IoT终端所发出的通信报文,并且还可以根据所使用的通信协议进行区分。
软件无线电单元对通信报文的获取结果可以输出至分析单元,分析单元可利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的 历史正常运行特征,确定所述IoT终端是否异常运行。可选的,本实施例中可以预先分析IoT终端的历史正常运行特征,分析的目的是为了确定IoT终端在什么情况下属于正常运行,以基于历史正常运行特征监控IoT终端是否异常运行。
可选的,IoT终端的历史正常运行特征可以通过多种方式实现,作为例子,可以是在一定时间范围内持续监听IoT网络中各个IoT终端的运行数据(需要确保IoT终端处于正常运行状态),基于这些运行数据分析IoT终端的正常运行特征。在另一些例子中,可以获取IoT终端的日志进行分析,或者,可以进一步结合IoT终端的厂商提供的IoT终端的测试数据;或者,还可以是通过其他途径获取其他IoT终端的历史正常运行数据,并结合需监控的IoT终端与该其他终端的相关性而分析得到。
实际应用中,若IoT网络中出现攻击方,IoT网络中IoT终端的数量可能出现变化,例如有新的IoT终端加入作为攻击方设备,已有的IoT终端被攻击后下线等等;因此,所述IoT终端的历史正常运行特征可以包括IoT网络中IoT终端的数量变化特征,该数量变化特征指示正常情况下IoT网络中IoT终端的数量变化,例如可以包括:在晚上10点至早上8点,IoT终端的数量值通常不会出现变化,在一些时间段如白天,IoT终端的数量值通常会出现减少(例如用户佩戴的智能手环下线导致数量减少)等等。
在另一些例子中,某些IoT终端可能有固定的上线或下线时间,例如家居场景中,智能手环佩戴于用户身上,用户通常在某个时间段不在家中,因此此类终端有固定的上线或下线时间,因此,所述IoT终端的历史正常运行特征还可以包括:所述IoT终端上线/下线的时间特征,通过IoT终端的上线或下线时间能够判断IoT终端是否异常运行。
在其他例子中,IoT终端的通信报文可能是固定发送给某个IoT终端,例如家居场景中,摄像头的通信报文通常是发送给路由器,智能手环的通信报文通常是发送给智能手机,若有固定接收方的IoT终端将通信报文发送给某个新加入的IoT终端,则该IoT终端有可能出现异常运行。因此,IoT终端的历史正常运行特征还可以包括IoT终端的通信报文的接收方特征。
在其他例子中,正常情况下,IoT网络中IoT终端的报文流量也通常处于稳定状态,例如在家居场景、智能工控或无人零售等场景中,在晚上10点至早上8点,各IoT终端的通信报文流量通常较低,不会有频繁的通信发生;例如某个IoT终端的报文流量在每天的各个时间段都较为稳定,若被攻击后,可能会出现频繁发送通信报文给攻击方设备的情况,因此,可以通过统计各个IoT终端之间的流量,进而分析出报文流量变化特征。
IoT终端发送的通信报文中承载有数据,这些数据可能经过IoT终端的厂商的自定义规则(例如一些加密算法等等)处理,实际应用中可能无法获知所有IoT终端厂商的自定义规则,数据的实际业务含义可能无法解析,上述实施例通过IoT终端的历史正常运行特征,这些历史正常运行特征涉及的是通信报文的数量变化、流量变化等,不涉及数据中具体的业务含义,不需要对报文中数据进行业务层面的解析,因此能够适用于所有IoT终端。
在已知该自定义规则的情况下(例如安全检测设备与IoT终端是同一厂商、与IoT终端的厂商合作、或者通过破解等),也可以将IoT终端发送的通信报文中的数据格式化为具有业务含义的数据,此种情况下可以根据通过历史运行数据分析IoT终端的业务数据并确定业务特征,例如,智能手环的业务特点是接收关联设备的指令后发出响应结果的报文、或者是传输手环采集的步数、心率等数据,若发现智能手环将关联设备的设备信息往外发送,则智能手环可能异常运行。
实际应用中,安全检测设备也可以直接与IoT终端通信,一些IoT终端具有安全检测功能,能够检测自身是否被攻击,IoT终端可以向安全检测设备告知攻击信息,或者传输一些数据。然而,IoT终端在发现自身被攻击后如何告知安全检测设备则成为一个难题,因为整个IoT终端已经被攻击者控制,向安全检测设备传输数据就可能会被攻击者察觉。基于此,本实施例从通信协议上提供解决方案。通常,通信双方按照通信协议传输承载有数据的报文,通信协议是为保证数据通信网络中通信双方能有效、可靠通信而约定的一系列规则。这些规则包括报文格式、顺序或速率,数据传输的确认或拒收、差错检测、重传控制或询问等。
通常,报文中包括一校验码字段,以用于校验报文是否错误。校验过程可以是:通信发送方利用预定通信协议规定的校验规则,针对所传输的数据计算校验码;通信接收方接收报文,利用该校验规则针对报文中的数据计算校验码后,对比计算的校验码和报文中的校验码是否一致。
正常情况下,通信报文中的校验码会采用预定通信协议的校验规则生成,因此,历史正常运行特征可以包括:所述通信报文中的校验码采用预定通信协议的校验规则生成。考虑到IoT终端被攻击方控制后,为了实现隐秘地传输数据,本实施例中IoT终端可以对校验码字段进行改造,与通信协议规定的校验规则不同,本实施例采用私有规则生成校验码。其中,私有规则与通信协议规定的校验规则不同,私有规则的具体实现,实际应用中可以根据需要灵活配置,以使利用私有规则生成的校验码与利用通信协议规定的 校验规则生成的校验码不同即可;而通信报文中除校验码之外的字段则利用原有的预定通信协议生成。作为例子,私有规则可以是:利用校验规则生成校验码后进行一定的修改,例如可以是根据校验规则生成的校验码后进行其他转换,可选的,可以设定字符转换关系,将根据校验规则生成的校验码转换为其他字符。在另一些例子中,私有规则可以是利用预设密钥对所述告警数据加密,按照所述校验规则对加密数据生成校验码,本实施例中IoT终端与安全检测设备可以预先约定密钥(可以是对称密钥或非对称密钥),校验码的生成过程,可以先利用预设密钥对告警数据加密后(具体的加密算法可以灵活配置),再按照校验规则对加密数据生成校验码,采用此种方式,既实现了对校验码的改造,也可以供安全检测设备利用校验码校验数据是否错误。对于攻击方设备,会认为接收到一个错误的报文,而不会察觉到IoT终端发出告警数据。对于IoT控制设备来说,可以利用私有规则解析出报文中的告警数据,从而实现告警数据的隐秘传输。
因此,安全检测设备可以接收到IoT终端发送的各类报文,这些报文包括有正常的报文,也有前述实施例隐秘传输的报文,安全检测设备需要对报文进行识别。按照通信协议的规定,安全检测设备在接收到报文后,会利用通信协议规定的校验规则对报文中的校验码进行校验;对于用于告警的报文,由于校验码被改造,因此会出现校验失败的情况。在本实施例方案中,若校验失败,安全检测设备可以利用私有规则对所述校验码进行解析,若解析成功则可确定所述IoT终端发出了隐秘报文,因此确定所述IoT终端的目标运行特征包括传输隐秘报文,进而获取所述报文中的隐秘数据,安全检测设备可知道IoT终端可能被攻击,进一步的,安全检测设备可以对攻击行为进行排查和阻断。
实际应用中,若攻击方设备要对IoT终端进行攻击,这些攻击行为可能与正常通信行为有一些差别,因此本实施例中,还可以预先收集与攻击相关的特征。在一些例子中,攻击方设备向IoT终端发出的通信报文中可能包含有攻击指令,如WiFi协议中的Deauth攻击指令等,因此可以根据攻击指令确定攻击指令特征。在另一些例子中,攻击行为可以包括重放攻击、拒绝服务攻击、密码爆破攻击等,可以获取此类攻击行为在无线信号上的特征作为设定攻击行为特征。在其他例子中,攻击方设备有可能发出干扰信号对IoT网络中各IoT终端的信号传输进行干扰,干扰方式可能包括有同频率干扰、邻频道干扰、带外干扰、互调干扰和阻塞干扰等,因此可以确定干扰信号特征。
通过上述实施例可以理解,运行特征可以有多种,分析单元在对软件无线电单元的获取结果进行分析的过程中,IoT终端可能是有一种目标运行特征与历史正常运行特征不匹配,也可以是有多种目标运行特征与历史正常运行特征不匹配,分析单元可以进行 汇总、分析和决策,最终的分析结果还可以发送给服务侧。
与前述IoT网络系统的实施例相对应,本说明书还提供了安全检测方法的实施例,如图2所示,图2是本说明书根据一示例性实施例示出的一种安全检测方法的流程图,可应用于图1B所示的安全检测设备中,包括以下步骤:
在步骤202、获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
在步骤204、利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
可选的,所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
可选的,所述利用所述通信报文确定所述IoT终端的目标运行特征,包括:
利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
攻击指令特征、设定攻击行为特征或干扰信号特征。
可选的,所述IoT终端的硬件能力/计算能力低于设定参数。
与前述安全检测方法的实施例相对应,本说明书还提供了安全检测装置及其所应用的设备的实施例。
本说明书安全检测装置的实施例可以应用在电子设备上。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为一个逻辑意义上的装置,是通过主处理器将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,如图3所示,为本说明书实施例安全检测装置所在设备的一种硬件结构图,除了图3所示的软件无线电处理器300、主处理器310、内存330、网络接口320、以及非易失性存储器340之外,实施例中装置331所在的电子设备,通常根据该设备的实际功能,还可以包括其他硬件,对此不再赘述。
如图4所示,图4是本说明书根据一示例性实施例示出的一种安全检测装置的框图, 所述装置包括:
获取模块41,用于:获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
确定模块42,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
可选的,所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
可选的,所述确定模块,还用于:
利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
可选的,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
攻击指令特征、设定攻击行为特征或干扰信号特征。
可选的,所述IoT终端的硬件能力/计算能力低于设定参数。
相应的,本说明书还提供一种安全检测设备,包括软件无线电处理器、存储器、主处理器及存储在存储器上并可在主处理器上运行的计算机程序,其中,所述主处理器执行所述程序时实现如下方法:
获取IoT终端的通信报文,所述通信报文利用所述软件无线电处理器监听所述IoT终端发出的无线信号而获取得到;
利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
上述安全检测方法中各个步骤的实现过程、以及安全检测装置中各个模块的功能和作用的实现过程具体详见上述IoT网络系统的实现过程,在此不再赘述。
对于装置实施例而言,以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可 以根据实际的需要选择其中的部分或者全部模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。
本领域技术人员在考虑说明书及实践这里申请的发明后,将容易想到本说明书的其它实施方案。本说明书旨在涵盖本说明书的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本说明书的一般性原理并包括本说明书未申请的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本说明书的真正范围和精神由下面的权利要求指出。
应当理解的是,本说明书并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本说明书的范围仅由所附的权利要求来限制。
以上所述仅为本说明书的较佳实施例而已,并不用以限制本说明书,凡在本说明书的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书保护的范围之内。

Claims (12)

  1. 一种安全检测设备,所述安全检测设备用于检测IoT网络中的IoT终端,所述安全检测设备包括:
    软件无线电单元:用于监听所述IoT终端发出的无线信号,获取通信报文;
    分析单元,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
  2. 根据权利要求1所述的设备,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
    所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
  3. 根据权利要求1所述的设备,所述利用所述通信报文确定所述IoT终端的目标运行特征,包括:
    利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
  4. 根据权利要求1所述的设备,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
    攻击指令特征、设定攻击行为特征或干扰信号特征。
  5. 根据权利要求1所述的设备,所述IoT终端的硬件能力/计算能力低于设定参数。
  6. 一种安全检测方法,所述方法包括:
    获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
    利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
  7. 根据权利要求1所述的方法,所述目标运行特征/所述历史正常运行特征包括如下一种或多种:
    所述IoT网络中IoT终端的数量变化特征、所述IoT终端的通信报文的接收方特征、所述IoT终端的报文流量变化特征、所述IoT终端上线/下线的时间特征或所述IoT终端的业务特征。
  8. 根据权利要求6所述的方法,所述利用所述通信报文确定所述IoT终端的目标运行特征,包括:
    利用预定通信协议规定的校验规则对所述通信报文中的校验码校验失败后,利用私有规则对所述校验码进行解析成功,确定所述IoT终端的目标运行特征包括传输隐秘报文。
  9. 根据权利要求6所述的方法,所述目标运行特征/所述历史正常运行特征包括如下一种或多种攻击特征:
    攻击指令特征、设定攻击行为特征或干扰信号特征。
  10. 根据权利要求6所述的方法,所述IoT终端的硬件能力/计算能力低于设定水平。
  11. 一种安全检测装置,所述装置包括:
    获取模块,用于:获取IoT终端的通信报文,所述通信报文利用软件无线电技术监听所述IoT终端发出的无线信号而获取得到;
    确定模块,用于:利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
  12. 一种安全检测设备,包括软件无线电处理器、存储器、主处理器及存储在存储器上并可在主处理器上运行的计算机程序,其中,所述主处理器执行所述程序时实现如下方法:
    获取IoT终端的通信报文,所述通信报文利用所述软件无线电处理器监听所述IoT终端发出的无线信号而获取得到;
    利用所述通信报文确定所述IoT终端的目标运行特征,对比所述目标运行特征和所述IoT终端的历史正常运行特征,确定所述IoT终端是否异常运行。
PCT/CN2019/095522 2018-08-29 2019-07-11 安全检测方法、设备及装置 WO2020042773A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
SG11202010201UA SG11202010201UA (en) 2018-08-29 2019-07-11 Security Detection Method, Device, And Apparatus
EP19854829.9A EP3820108B1 (en) 2018-08-29 2019-07-11 Security detection method, apparatus and device
US17/082,813 US11201886B2 (en) 2018-08-29 2020-10-28 Security detection method, device, and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810995418.9A CN109067763B (zh) 2018-08-29 2018-08-29 安全检测方法、设备及装置
CN201810995418.9 2018-08-29

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/082,813 Continuation US11201886B2 (en) 2018-08-29 2020-10-28 Security detection method, device, and apparatus

Publications (1)

Publication Number Publication Date
WO2020042773A1 true WO2020042773A1 (zh) 2020-03-05

Family

ID=64757688

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/095522 WO2020042773A1 (zh) 2018-08-29 2019-07-11 安全检测方法、设备及装置

Country Status (6)

Country Link
US (1) US11201886B2 (zh)
EP (1) EP3820108B1 (zh)
CN (1) CN109067763B (zh)
SG (1) SG11202010201UA (zh)
TW (1) TWI716013B (zh)
WO (1) WO2020042773A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT202000008155A1 (it) * 2020-04-17 2021-10-17 Nsr S R L Metodo e sistema per valutazione di vulnerabilità di dispositivi IoT
EP3896591A1 (en) * 2020-04-17 2021-10-20 NSR S.r.l. Method and system for security assessment of iot devices

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067763B (zh) 2018-08-29 2020-05-29 阿里巴巴集团控股有限公司 安全检测方法、设备及装置
WO2020206620A1 (en) * 2019-04-09 2020-10-15 Orange Methods and apparatus to discriminate authentic wireless internet-of-things devices
EP3799451B1 (en) * 2019-09-26 2022-07-20 Nokia Technologies Oy Method and apparatus for compromised iot device detection
CN111181957B (zh) * 2019-12-27 2020-12-04 温州心合网络科技有限公司 物联网设备安全验证方法、系统及中央控制设备
CN111240928B (zh) * 2020-01-06 2024-04-09 上海闻泰信息技术有限公司 设备驱动自动化检测方法、装置、设备及存储介质
CN112083659A (zh) * 2020-09-27 2020-12-15 珠海格力电器股份有限公司 智能家居系统安全的监测方法、智能家居系统及存储介质
CN112654024B (zh) * 2020-12-28 2022-08-02 支付宝(杭州)信息技术有限公司 安全检测方法、装置及计算机设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532940A (zh) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 网络安全检测方法及装置
CN103619012A (zh) * 2013-12-02 2014-03-05 中国联合网络通信集团有限公司 一种移动互联网安全评估的方法、系统
CN107135093A (zh) * 2017-03-17 2017-09-05 西安电子科技大学 一种基于有限自动机的物联网入侵检测方法及检测系统
CN107154940A (zh) * 2017-05-11 2017-09-12 济南大学 一种物联网漏洞扫描系统及扫描方法
CN109067763A (zh) * 2018-08-29 2018-12-21 阿里巴巴集团控股有限公司 安全检测方法、设备及装置

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9450973B2 (en) * 2011-11-21 2016-09-20 At&T Intellectual Property I, L.P. Method and apparatus for machine to machine network security monitoring in a communications network
US9979606B2 (en) * 2015-03-04 2018-05-22 Qualcomm Incorporated Behavioral analysis to automate direct and indirect local monitoring of internet of things device health
US10148691B2 (en) * 2016-12-31 2018-12-04 Fortinet, Inc. Detection of unwanted electronic devices to provide, among other things, internet of things (IoT) security
TWI637621B (zh) * 2017-01-05 2018-10-01 緯創資通股份有限公司 物聯網讀取裝置、安全存取方法以及控制中心設備
CA3049112C (en) * 2017-01-06 2023-02-14 Highwinds Holdings, Inc. Cryptographic network protocol escalation path
EP3361765A1 (en) * 2017-02-10 2018-08-15 Kamstrup A/S Radio frequency communication system and method
CN107135092B (zh) * 2017-03-15 2019-11-05 浙江工业大学 一种面向全局社交服务网的Web服务聚类方法
CN106878339A (zh) * 2017-03-30 2017-06-20 国网福建省电力有限公司 一种基于物联网终端设备的漏洞扫描系统及方法
CN107426181B (zh) * 2017-06-20 2019-09-17 竞技世界(北京)网络技术有限公司 恶意Web访问请求的拦截方法及装置
US10887189B2 (en) * 2017-08-03 2021-01-05 Dish Network L.L.C. Systems and methods of mapping connected devices
US10616168B2 (en) * 2017-11-07 2020-04-07 International Business Machines Corporation Dynamically changing message classification and priority based on IOT device publication
CN108063753A (zh) * 2017-11-10 2018-05-22 全球能源互联网研究院有限公司 一种信息安全监测方法及系统
US10637873B2 (en) * 2018-03-20 2020-04-28 Bank Of America Corporation Smart internet of things (“IOT”) relay monitors

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532940A (zh) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 网络安全检测方法及装置
CN103619012A (zh) * 2013-12-02 2014-03-05 中国联合网络通信集团有限公司 一种移动互联网安全评估的方法、系统
CN107135093A (zh) * 2017-03-17 2017-09-05 西安电子科技大学 一种基于有限自动机的物联网入侵检测方法及检测系统
CN107154940A (zh) * 2017-05-11 2017-09-12 济南大学 一种物联网漏洞扫描系统及扫描方法
CN109067763A (zh) * 2018-08-29 2018-12-21 阿里巴巴集团控股有限公司 安全检测方法、设备及装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3820108A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT202000008155A1 (it) * 2020-04-17 2021-10-17 Nsr S R L Metodo e sistema per valutazione di vulnerabilità di dispositivi IoT
EP3896591A1 (en) * 2020-04-17 2021-10-20 NSR S.r.l. Method and system for security assessment of iot devices

Also Published As

Publication number Publication date
TWI716013B (zh) 2021-01-11
CN109067763A (zh) 2018-12-21
US11201886B2 (en) 2021-12-14
CN109067763B (zh) 2020-05-29
SG11202010201UA (en) 2020-11-27
US20210075813A1 (en) 2021-03-11
EP3820108B1 (en) 2022-12-07
TW202009769A (zh) 2020-03-01
EP3820108A4 (en) 2021-11-10
EP3820108A1 (en) 2021-05-12

Similar Documents

Publication Publication Date Title
WO2020042773A1 (zh) 安全检测方法、设备及装置
Dadkhah et al. Towards the development of a realistic multidimensional IoT profiling dataset
Amaral et al. Policy and network-based intrusion detection system for IPv6-enabled wireless sensor networks
Thanigaivelan et al. Distributed internal anomaly detection system for Internet-of-Things
US11863556B2 (en) Configuring access for internet-of-things and limited user interface devices
KR102303689B1 (ko) 사물 인터넷(IoT) 디바이스와 보안 통신 채널을 설정하기 위한 시스템 및 방법
Gu et al. Bf-iot: Securing the iot networks via fingerprinting-based device authentication
EP3888317B1 (en) Detection of security threats in a mesh network
US10419937B2 (en) Network monitoring system with remote access
CN109194643B (zh) 数据传输、报文解析方法、装置及设备
Rullo et al. Past: Protocol-adaptable security tool for heterogeneous iot ecosystems
Akestoridis et al. On the security of thread networks: Experimentation with openthread-enabled devices
US11689928B2 (en) Detecting unauthorized access to a wireless network
KR101080293B1 (ko) 무선 센서 네트워크에서의 악성 노드 탐지 장치 및 탐지 방법
Shebaro et al. Fine-grained analysis of packet losses in wireless sensor networks
Raposo et al. Securing wirelesshart: monitoring, exploring and detecting new vulnerabilities
Midi et al. A system for response and prevention of security incidents in wireless sensor networks
Tuen Security in Internet of Things Systems
Nguyen et al. Towards improving explainability, resilience and performance of cybersecurity analysis of 5G/IoT networks (work-in-progress paper)
CN115001863B (zh) 网络安全漏洞检测方法、装置、介质和电子设备
Akestoridis Security tools for attacking and monitoring low-power wireless personal area networks
Xu et al. An Efficient Compromised Nodes Detection System in Wireless Sensor Networks.
Choukhairi et al. TTIDS: A Time-Driven Trust Based Intrusion Detection System for IoT Networks
Zeichick Detecting Rogue Manipulation of Smart Home Device Settings
US20120246524A1 (en) Debugging aid for secure wireless systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19854829

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019854829

Country of ref document: EP

Effective date: 20210329