WO2023098407A1 - Usb设备与被保护设备的通信控制方法、装置及电子设备 - Google Patents

Usb设备与被保护设备的通信控制方法、装置及电子设备 Download PDF

Info

Publication number
WO2023098407A1
WO2023098407A1 PCT/CN2022/130164 CN2022130164W WO2023098407A1 WO 2023098407 A1 WO2023098407 A1 WO 2023098407A1 CN 2022130164 W CN2022130164 W CN 2022130164W WO 2023098407 A1 WO2023098407 A1 WO 2023098407A1
Authority
WO
WIPO (PCT)
Prior art keywords
usb
communication
protected
communication data
access control
Prior art date
Application number
PCT/CN2022/130164
Other languages
English (en)
French (fr)
Inventor
张昊
杜华
蔡镇河
Original Assignee
北京博衍思创信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京博衍思创信息科技有限公司 filed Critical 北京博衍思创信息科技有限公司
Publication of WO2023098407A1 publication Critical patent/WO2023098407A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/40Bus structure
    • G06F13/4004Coupling between buses
    • G06F13/4022Coupling between buses using switching circuits, e.g. switching matrix, connection or expansion network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus

Definitions

  • the present disclosure relates to the field of device communication control, in particular, to a communication control method, device, electronic device and computer-readable medium between a USB device and a protected device.
  • the present disclosure provides a communication control method and device between a USB device and a protected device, an electronic device, and a computer-readable medium, which can protect the data of the protected device through a USB access control device externally connected to the protected device Safety.
  • a communication control method between a USB device and a protected device is proposed, the method is applied to a USB access control device, and the USB access control device and the protected device are connected through an interface, and the method includes: After the USB device is inserted into the USB access control device and passes authentication, monitor the communication data between the USB device and the protected device; determine the communication protocol type of the communication data according to the USB protocol specification; Disconnecting the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • determining the communication protocol type of the communication data includes: according to the USB protocol specification, obtaining communication protocol information from the communication data; according to the communication protocol information, determining the communication data
  • the communication protocol type for is Bulk Transfer Protocol.
  • disconnecting the communication between the USB device and the protected device includes: if the communication protocol type of the communication data is a bulk transfer protocol, disconnecting the Communication between the USB device and the protected device.
  • determining the communication protocol type of the communication data includes: according to the USB protocol specification, obtaining communication protocol information from the communication data; according to the communication protocol information, determining the communication data
  • the communication protocol type of is synchronous transfer protocol.
  • disconnecting the communication between the USB device and the protected device includes: if the communication protocol type of the communication data is the synchronous transfer protocol, determining the The data flow direction of the communication data; if the data flow direction is from the protected device to the USB device, disconnect the communication between the USB device and the protected device.
  • determining the communication protocol type of the communication data includes: according to the USB protocol specification, obtaining communication protocol information from the communication data; according to the communication protocol information, determining the communication data
  • the communication protocol type of is Interrupt Transfer Protocol.
  • disconnecting the communication between the USB device and the protected device includes: if the communication protocol type of the communication data is the interrupt transfer protocol, determining the The data flow direction of the communication data; if the data flow direction is from the protected device to the USB device, disconnect the communication between the USB device and the protected device.
  • determining the communication protocol type of the communication data includes: according to the USB protocol specification, obtaining communication protocol information from the communication data; according to the communication protocol information, determining the communication data
  • the communication protocol type of is a custom transport protocol.
  • disconnecting the communication between the USB device and the protected device includes: if the communication protocol type of the communication data is the user-defined transmission protocol, determining Whether the communication data is unparseable data; if the communication data is the unparseable data, disconnect the communication between the USB device and the protected device.
  • the method further includes: sending alarm information to the protected device when the communication between the USB device and the protected device is disconnected.
  • the method further includes: before the USB access control device is powered on, closing a switch deployed in the USB access control device, so that the USB device and the protected device can communicate normally; Or after the USB access control device is powered on, disconnect the switch deployed in the USB access control device, and trigger the enumeration mechanism of the USB device.
  • a communication control device between a USB device and a protected device is proposed, the device is applied to a USB access control device, and the USB access control device and the protected device are connected through an interface, and the device includes: A monitoring module, after the USB device is inserted into the USB access control device and passes the authentication, monitors the communication data between the USB device and the protected device; the communication protocol type determination module is used for according to the USB protocol specification , determining a communication protocol type of the communication data; a control module configured to disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • an electronic device which includes: one or more processors; a storage device for storing one or more programs; when one or more programs are executed by one or more processors Execution causes one or more processors to implement the method as above.
  • a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, the above method is realized.
  • the method is applied to a USB access control device, and the USB access control device is connected to the protected device through an interface.
  • the data security of the protected device can be protected by connecting the USB access control device externally to the protected device, effectively preventing data leakage in the protected device, and the protection of the protected device can be guaranteed without installing security protection software on the protected device.
  • USB access control device monitors the communication data between the USB device and the protected device, and determines the communication data between the two according to the USB protocol specification communication protocol type, and then disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • Fig. 1 is a schematic structural diagram of a USB device access control system according to an exemplary embodiment.
  • Fig. 2 is a flowchart showing a communication control method between a USB device and a protected device according to an exemplary embodiment.
  • Fig. 3 is a schematic diagram showing a specific deployment of a USB communication data analysis module in a USB access control device according to an exemplary embodiment.
  • Fig. 4 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • Fig. 5 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • Fig. 6 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • Fig. 7 is a flowchart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • Fig. 8 is a schematic diagram showing the connection relationship between the data forwarding module and the USB communication data analysis module according to an exemplary embodiment.
  • Fig. 9 is a schematic diagram of a network version of a USB device access control system according to an exemplary embodiment.
  • Fig. 10 is a schematic diagram of software deployed on a management workstation A according to an exemplary embodiment.
  • Fig. 11 is a schematic diagram showing the connection relationship between the USB communication data analysis module and the data forwarding module in the USB registration device according to an exemplary embodiment.
  • Fig. 12 is a block diagram of an apparatus for controlling communication between a USB device and a protected device according to an exemplary embodiment.
  • Fig. 13 is a block diagram of an electronic device according to an exemplary embodiment.
  • Fig. 14 is a block diagram showing a computer readable medium according to an exemplary embodiment.
  • Example embodiments will now be described more fully with reference to the accompanying drawings.
  • Example embodiments may, however, be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
  • the same reference numerals denote the same or similar parts in the drawings, and thus their repeated descriptions will be omitted.
  • Fig. 1 is a schematic structural diagram of a USB device access control system according to an exemplary embodiment.
  • the USB device access control system 100 may include a USB access control device 110 , a USB device 120 and a protected device 130 .
  • the USB access control device 110 is equipped with two USB ports, which are USB port UA1 and USB port UA2 respectively.
  • the number of USB ports can be increased according to actual application scenarios.
  • the USB access control device 110 and the USB device 120 can be connected through the USB port UA1.
  • the USB access control device 110 and the protected device 130 can be connected through the USB port UA2.
  • the USB access control device 110 can be used to protect the security of data in the protected device 130 .
  • the USB access control device 110 may authenticate the USB device 120 according to the descriptor of the USB device 120 .
  • the USB access control device 110 monitors the communication data between the USB device 120 and the protected device 130, and determines the communication data between the two according to the USB protocol specification. communication protocol type, and then disconnect the communication between the USB device 120 and the protected device 130 according to the communication protocol type of the communication data.
  • the USB access control device 110 may be a security device capable of protecting data.
  • the USB device 120 may be an external storage device, an external HID device, and so on.
  • the external storage device may be a USB flash drive, a mobile hard disk, and the like.
  • the external HID device can be a mouse, keyboard, gamepad, etc.
  • Fig. 2 is a flowchart showing a communication control method between a USB device and a protected device according to an exemplary embodiment. The method is applied to a USB access control device, and the USB access control device is connected to the protected device through an interface.
  • the communication control method between the USB device and the protected device may include steps S210 to S230.
  • step S210 after the USB device is inserted into the USB access control device and passed the authentication, the communication data between the USB device and the protected device is monitored.
  • step S220 the communication protocol type of the communication data is determined according to the USB protocol specification.
  • step S230 disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • This method can protect the data security of the protected device through the USB access control device externally connected to the protected device, effectively prevent the leakage of data in the protected device, and ensure the protection without installing security protection software on the protected device.
  • Data security of the device for example, after the USB device is inserted into the USB access control device and passed the authentication, the USB access control device monitors the communication data between the USB device and the protected device, and determines the communication data between the two according to the USB protocol specification. The communication protocol type of the communication data, and then disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • the communication protocol type of the communication data between the USB device and the protected device may include any one or more of the following: bulk transfer protocol, synchronous transfer protocol, interrupt transfer protocol, custom transfer protocol .
  • each communication protocol type may include the following transactions: Setup transaction, IN transaction, and OUT transaction.
  • Token packets for all transactions are initiated by the USB Host (e.g., the protected device).
  • the core principle of communication data analysis and abnormal prevention of USB devices is: wide entry and strict exit, that is, based on the USB device access authorization, the communication protocol type is limited for the communication data flowing into the protected device. For example, bulk transfers are prohibited, synchronous transfers only allow IN transactions (that is, USB devices to protected devices), interrupt transfers can run IN transactions, and OUT transactions need to determine the direction of data transfers (that is, allow data transfers from USB devices to protected devices, Data transmission from the protected device to the USB device is prohibited).
  • the USB device when the USB device is inserted into the USB access control device, the USB device needs to be authenticated. After the USB device passes the authentication, the USB device can communicate with the protected device.
  • the authentication process of the USB device can be: when the USB device is inserted into the USB access control device, obtain the descriptor of the USB device, compare the descriptor of the USB device with the registration information of the USB device, if the descriptor of the USB device is the same as that of the USB device The registration information is the same, and the switch deployed in the USB access control device is closed, so that the USB device can communicate with the protected device.
  • the USB device when the USB device communicates with the protected device, it can also continue to obtain the descriptor of the USB device, and continue to compare the descriptor of the USB device with the registration information of the USB device. If the descriptor of the USB device and the registration information of the USB device Different, disconnect the switch deployed in the USB access control device.
  • the USB access control device 110 may include an interface control module and a system control module.
  • the interface control module has three USB ports, namely USB port UA1, USB port UA2, and USB port UB.
  • USB port UA1 and USB port UA2 are external interfaces
  • USB port UB is internal interface.
  • the internal interface UA2 is connected to the corresponding USB port UC of the protected device 130 .
  • the external interface UA1 is used to access one or more USB devices 120 .
  • the system control module is connected with an internal interface, which is a USB port UD.
  • the UD of the system control module is used to electrically connect with the UB of the interface control module, and controls the security authentication of the external equipment connected to the external interface UA1 on the interface control module.
  • USB communication data analysis modules and two switches are also deployed in the interface control module.
  • one end of a USB communication data analysis module is connected to the external interface UA1, the other end is connected to one end of a switch, and the other end of the switch is connected to the internal interface UB.
  • One end of another USB communication data analysis module is connected to the external interface UA1, the other end is connected to one end of a switch, and the other end of the switch is connected to the external interface UA2.
  • the USB communication data analysis module is serially connected and bypassed on the external interface of the interface control module and the USB port connection of the protected device, and the descriptor and/or communication data of the USB device in the direct connection path will be monitored in real time.
  • the analysis module is implemented based on USB protocol analysis, and is used to analyze the descriptor and/or communication data of the USB device.
  • the USB communication data analysis module between the external interface UA1 and the internal interface UB is used to analyze the descriptor of the USB device 120 .
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 is used to describe the USB device 120 and analyze the communication data between the USB device 120 and the protected device 130 .
  • Fig. 4 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • step S220 may include step S410 and step S420.
  • step S410 the communication protocol information is obtained from the communication data according to the USB protocol specification.
  • step S420 according to the communication protocol information, it is determined that the communication protocol type of the communication data is a bulk transfer protocol.
  • the communication protocol type of the communication data between the USB device and the protected device is a bulk transfer protocol, disconnect the communication between the USB device and the protected device, so that the protected device can be protected in time data security.
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 in the USB access control device 110 is used to detect the communication protocol type of the communication data between the USB device 120 and the protected device 130 in real time.
  • the communication protocol type is a batch transfer protocol
  • the USB device 120 and the protected device 130 cannot communicate. In this way, the device can be protected in time. The security of data in the protected device.
  • Fig. 5 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • step S220 may include step S510 and step S520.
  • step S510 the communication protocol information is obtained from the communication data according to the USB protocol specification.
  • step S520 according to the communication protocol information, it is determined that the communication protocol type of the communication data is a synchronous transmission protocol.
  • the communication protocol type of the communication data between the USB device and the protected device is a synchronous transfer protocol
  • determine the data flow direction of the communication data if the data flow direction is from the protected device to USB device, disconnect the communication between the USB device and the protected device, so that the data in the protected device can be protected in time.
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 in the USB access control device 110 is used to detect the communication protocol type of the communication data between the USB device 120 and the protected device 130 in real time.
  • the communication protocol type is a synchronous transfer protocol, judge the data direction of the communication data. If the data flow direction is from the protected device 130 to the USB device 120, disconnect the external interface UA1 and the external interface UA2 in the USB access control device 110. At this time, the USB device 120 and the protected device 130 cannot communicate. In this way, the security of the data in the protected device can be protected in time.
  • Fig. 6 is a flow chart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • step S220 may include step S610 and step S620.
  • step S610 the communication protocol information is obtained from the communication data according to the USB protocol specification.
  • step S620 according to the communication protocol information, it is determined that the communication protocol type of the communication data is an interrupt transmission protocol.
  • the communication protocol type of the communication data between the USB device and the protected device is an interrupt transmission protocol
  • determine the data flow direction of the communication data if the data flow direction is from the protected device to the USB device , Disconnect the communication between the USB device and the protected device, so that the data in the protected device can be protected in time.
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 in the USB access control device 110 is used to detect the communication protocol type of the communication data between the USB device 120 and the protected device 130 in real time.
  • the communication protocol type is an interrupt transmission protocol, judge the data direction of the communication data. If the data flow direction is from the protected device 130 to the USB device 120, disconnect the external interface UA1 and the external interface UA2 in the USB access control device 110. At this time, the USB device 120 and the protected device 130 cannot communicate. In this way, the security of the data in the protected device can be protected in time.
  • Fig. 7 is a flowchart of a communication control method between a USB device and a protected device according to another exemplary embodiment.
  • step S220 may include step S710 and step S720.
  • step S710 according to the USB protocol specification, the communication protocol information is obtained from the communication data.
  • step S720 according to the communication protocol information, it is determined that the communication protocol type of the communication data is a self-defined transmission protocol.
  • the communication protocol type of the communication data between the USB device and the protected device is a custom transmission protocol, determine whether the communication data is unparseable data, and if the communication data is unparseable data, disconnect The communication between the USB device and the protected device can protect the data in the protected device in time.
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 in the USB access control device 110 is used to detect the communication protocol type of the communication data between the USB device 120 and the protected device 130 in real time.
  • the communication protocol type is a custom transmission protocol, judge whether the communication data is unparseable data, if the communication data is unparseable data, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110, At this time, the USB device 120 and the protected device 130 cannot communicate, and in this way, the security of the data in the protected device can be protected in time.
  • the method further includes: when the communication between the USB device and the protected device is disconnected, sending an alarm message to the protected device.
  • the USB access control device 110 turns off the switch between the external interface UA1 and the external interface UA2 , it sends an alarm message to the protected device 130 so as to remind the relevant personnel in charge of the protected device 130 .
  • the method further includes: before the USB access control device is powered on, closing the switch deployed in the USB access control device, so that the USB device and the protected device can communicate normally; or when the USB access control device After power-on, disconnect the switch deployed in the USB access control device, and trigger the enumeration mechanism of the USB device.
  • the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is closed, so that The USB device 120 and the protected device 130 can communicate normally. In order to realize the power-off Bypass function of the USB access control device 110 .
  • the USB device 120 when the USB device 120 is inserted into the USB access control device 110, and the USB access control device 110 is powered on, the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is disconnected, and the USB access control device 110 is triggered.
  • the enumeration mechanism of the device 120 is to authenticate the USB device 120 .
  • the following embodiments specifically describe the enumeration mechanism of the USB device, that is, the authentication process of the USB device.
  • the USB device 120 when the USB device 120 is inserted into the direct connection external interface UA1, the USB port UC of the protected device is connected, the inserted USB device 120 is powered on, and will enter the device identification process according to the USB specification, that is, the enumeration of the USB device 120 process.
  • the switch between the internal interface UB and the external interface UA1 of the USB access control device 110 is closed, and the system control module can control the connection between the two.
  • the inter-USB communication data analysis module obtains the descriptor of the USB device 120, and compares the descriptor of the USB device 120 with the registration information of the USB device 120.
  • the USB communication data analysis module monitors the communication data between the USB device 120 and the protected device 130, and determines the communication protocol type of the communication data between the two according to the USB protocol specification, and then controls the two according to the communication protocol type of the communication data.
  • Communication between the parties for example, disconnect the communication between the USB device 120 and the protected device 130, so that the data security of the protected device 130 can be protected by the USB access control device 110 externally connected to the protected device 130, effectively To prevent data leakage in the protected device 130 , the data security of the protected device can be guaranteed without installing security protection software on the protected device 130 .
  • the USB communication data analysis module between the external interface UA1 and the external interface UA2 of the USB access control device 110 needs to continue to obtain the USB The descriptor of the device 120, continue to compare the descriptor of the USB device 120 with the registration information of the USB device 120, if the descriptor of the USB device 120 is different from the registration information of the USB device 120, disconnect the device deployed in the USB access control device Switch (for example, a switch between the external interface UA1 and the external interface UA2), at this time, the USB device 120 and the protected device 130 cannot communicate, so that the data security of the protected device 130 can also be protected.
  • the USB access control device Switch for example, a switch between the external interface UA1 and the external interface UA2
  • the USB device 120 is inserted into the UA1 of the USB access control device 110, the corresponding USB port on the protected device 130 is connected through the internal connection of the USB access control device 110, and the inserted USB device 120 is powered on.
  • the device identification process will be entered, that is, the first enumeration process of the USB device 120 .
  • the communication data between the USB device 120 and the protected device 130 extracts the descriptors in the enumeration process (for example, supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identification, configuration Supported interface number, interface number, interface class, interface subclass, interface protocol, etc.), compare and match with the registration information, if any inconsistency is found, disconnect the communication between the USB device 120 and the protected device 130, and send an alarm message .
  • the descriptors in the enumeration process for example, supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identification, configuration Supported interface number, interface number, interface class, interface subclass, interface protocol, etc.
  • the above-mentioned descriptors of the USB device 120 may include any one or more of the following: device descriptor, configuration descriptor, interface descriptor, and HID descriptor.
  • a USB device 120 has only one device descriptor, and the device descriptor includes the following table 1.
  • the USB device 120 can have at least one or more configuration descriptors.
  • the last item bNumConfigurations of the above-mentioned device descriptors limits the number of configuration descriptors.
  • the USB device 120 currently selects one of the configurations,
  • the configuration descriptor information is shown in Table 2, where bConfigurationValue is the identifier of the current configuration.
  • the foregoing interface descriptor may be used to describe the situation of the interface under the foregoing current configuration.
  • a single-function USB device 120 has an interface, such as a USB flash drive.
  • the composite function USB device 120 has multiple interfaces, for example, a composite device integrating a mouse and a keyboard, wherein one interface corresponds to one function.
  • a USB device 120 can have multiple configurations, but currently only one configuration can be selected.
  • the device descriptor device type bDeviceClass is 0, it indicates that the interface descriptor is used to identify the category.
  • the interface class, interface subclass, and interface protocol are used to describe the category to which the function of the USB device 120 belongs.
  • acquiring the descriptor of the USB device may include sending a Get_Descriptor control packet to the USB device; receiving the device descriptor determined by the USB device according to the Get_Descriptor control packet.
  • a USB command for example, Get_Descriptor control packet
  • Get_Descriptor control packet can be sent to the USB device to request to obtain the device descriptor of the USB device, so that the USB access control device can quickly obtain the device descriptor of the USB device.
  • the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the device descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the device descriptor.
  • the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor control packet to the USB device 120, and the USB device 120 returns its device descriptor to the USB communication data analysis module based on the control packet, for example, returns bDeviceClass, bDeviceSubClass, bDeviceProtocol, bLength, bDescriptorType, and bString in the device descriptor.
  • the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained device descriptor, so as to enumerate the USB device 120 for the first time.
  • comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bDeviceClass in the device descriptor with the bDeviceClass in the registration information; comparing the bDeviceSubClass in the device descriptor with the bDeviceSubClass in the registration information Whether they are the same; compare whether the bDeviceProtocol in the device descriptor is the same as the bDeviceProtocol in the registration information; compare whether the bLength in the device descriptor is the same as the bLength in the registration information; compare the bDescriptorType in the device descriptor with the bDescriptorType in the registration information Whether they are the same; and compare whether the bString in the device descriptor is the same as the bString in the registration information.
  • the closed USB interface The switch deployed in the input control device 110. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
  • the switch deployed in the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the device descriptor in the descriptor of the USB device 120 is different from the device descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
  • obtaining the descriptor of the USB device may also include sending a Get_Descriptor_Configuration control packet to the USB device; in step S520, receiving the configuration descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet .
  • a USB command for example, Get_Descriptor_Configuration control packet
  • Get_Descriptor_Configuration control packet is sent to the USB device to request to obtain the configuration descriptor of the USB device, so that the USB access control device can quickly obtain the configuration descriptor of the USB device.
  • the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the configuration descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the configuration descriptor.
  • the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor_Configuration control packet to the USB device 120, and the USB device 120 returns its configuration descriptor to the USB communication data analysis module based on the control packet, for example, returns bNumInterfaces, bConfigurationValue, and wTotalLength in the configuration descriptor.
  • the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained configuration descriptor, so as to enumerate the USB device 120 for the first time.
  • comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bNumInterfaces in the configuration descriptor with the bNumInterfaces in the registration information; comparing the bConfigurationValue in the configuration descriptor with the bConfigurationValue in the registration information Whether they are the same; and compare whether the wTotalLength in the configuration descriptor is the same as the wTotalLength in the registration information.
  • the switch of the USB access control device 110 is closed. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
  • the switch of the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the configuration descriptor in the descriptor of the USB device 120 is different from the configuration descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
  • acquiring the descriptor of the USB device may further include sending a Get_Descriptor_Configuration control packet to the USB device; receiving an interface descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet.
  • a USB command for example, Get_Descriptor_Configuration control packet
  • Get_Descriptor_Configuration control packet is sent to the USB device to request to obtain the interface descriptor of the USB device, so that the USB access control device can quickly obtain the interface descriptor of the USB device.
  • the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the interface descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the interface descriptor.
  • the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor_Configuration control packet to the USB device 120, and the USB device 120 returns its interface descriptor to the USB communication data analysis module based on the control packet, for example, returns bInterfaceNumber, bInterfaceClass, bDeviceSubClass, and bInterfaceProtocol in the interface descriptor.
  • the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained interface descriptor, and enumerate the USB device 120 for the first time in this way.
  • comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bInterfaceNumber in the interface descriptor with the bInterfaceNumber in the registration information; comparing the bInterfaceClass in the interface descriptor with the bInterfaceClass in the registration information Whether they are the same; compare whether the bInterfaceSubClass in the interface descriptor is the same as the bInterfaceSubClass in the registration information; and compare whether the bInterfaceProtocol in the interface descriptor is the same as the bInterfaceProtocol in the registration information.
  • closing the switch deployed in the USB access control device 110 includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, And bInterfaceProtocol corresponds to the bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, and the switch deployed in the USB access control device 110 is closed. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
  • disconnecting the switch deployed in the USB access control device 110 includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass in the interface descriptor , and bInterfaceProtocol is different from any of bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, the switch deployed in the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the interface descriptor in the descriptor of the USB device 120 is different from the interface descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
  • the descriptor of the USB device may be a device descriptor, or a configuration descriptor, or an interface descriptor. It should be noted that the descriptor of the USB device in the present invention may include a device descriptor, a configuration descriptor, and an interface descriptor. 3, when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the external interface UA1 and the internal interface UB in the USB access control device 110 is used to obtain A device descriptor, a configuration descriptor, and an interface descriptor of the USB device 120.
  • a USB command is sent to the USB device 120, and the USB device 120 returns a device descriptor, a configuration descriptor, and an interface descriptor according to the corresponding USB command.
  • the USB communication data analysis module compares the device descriptor, configuration descriptor and interface descriptor based on the device descriptor, configuration descriptor and interface descriptor in the registration information of the USB device 120, that is, the USB device 120 The first enumeration of . If the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 are the same as the device descriptor, configuration descriptor, and interface descriptor in the registration information, the closed USB access control device 110 deploys switch.
  • USB access Switches deployed in the control device 110 For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
  • any of the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 is different from the device descriptor, configuration descriptor, and interface descriptor in the registration information, and The state of the switch in the USB access control device 110 itself is in the off state, so it is enough to continue to keep it in the off state at this time.
  • the USB device 120 is a HID device, that is, Human Interface Devices (HID), a human-machine interface device.
  • the descriptor of the USB device 120 may include not only the above-mentioned device descriptor, configuration descriptor, and interface descriptor, but also a HID descriptor. If the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the descriptor of the USB device 120 are corresponding to the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the registration information, close A switch deployed in the USB access control device 110 .
  • the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the descriptor of the USB device 120 and the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the registration information have any One difference is to turn off the switch deployed in the USB access control device 110 . It should be noted that if any of the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 is different from the device descriptor, configuration descriptor, and interface descriptor in the registration information, and The state of the switch in the USB access control device 110 itself is in the off state, so it is enough to continue to keep it in the off state at this time.
  • the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is closed, and the USB device 120 can communicate with the protected device 130 at this time.
  • the user may change the function of the USB device 120 through the hidden function of the USB device 120 during the use of the USB device 120, such as opening the hidden storage area, activating the storage function, etc., such operations cause the descriptor of the USB device 120 to change.
  • the re-enumeration of the USB device 120 is triggered.
  • the USB communication data analysis module analyzes the USB communication data between UA1 and UA2 in real time. After the USB device 120 passes the authentication If re-enumeration information is found during the use of the USB device 120, the communication between UA1 and UA2 will be disconnected and an alarm will be triggered. For example, after the first enumeration of the USB device 120 is passed, the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is closed, and the USB device 120 can communicate with the protected device 130 at this time.
  • the method provided by the present invention can realize the takeover of each interface of the protected device 130, and ensure that the use of the USB interface or serial device of the protected device 130 can be completed by an external terminal protection device (i.e., the USB access control device 110), thereby
  • the purpose of protecting the USB interface or serial port of the protected device 130 can be achieved without installing security protection software on the protected device 130 .
  • the USB access control device 110 will compare the descriptor information of the USB device 120 with the registration information of the USB device 120, if the comparison result is different, the access of the USB device 120 will be prohibited, and the process will be terminated.
  • USB device 120 is used.
  • the USB communication data analysis module in the USB access control device 110 can be connected in series between the USB device 120 inserted by the user and the protected device 130, and between the USB device 120 and the system control module in the USB access control device 110 .
  • the communication data forwarding is realized by the data forwarding module so that the USB communication data analysis module can bypass between the USB device 120 inserted by the user and the protected device 130 , and between the system control module in the USB access control device 110 .
  • There is a switch between the USB device 120 inserted by the user and the protected device 130 for example, a program-controlled electronic switch, and the control program can control the connection between the USB device 120 inserted by the user and the protected device 130 .
  • the USB access control device 110 can be connected to the control center through the network port to realize unified management, and can also operate independently without the control center.
  • the USB device needs to be registered before being used, that is, device authorization is performed.
  • Traditional device authorization is only for the vendor ID (VID), product identification code (PID) and serial number information of the USB device.
  • VIP vendor ID
  • PID product identification code
  • serial number information of the USB device.
  • the registration process in the present invention is to obtain the descriptor information of the USB device, to confirm the access mode of the USB device, and to load the corresponding driver.
  • USB descriptors include device descriptors, configuration descriptors, interface descriptors, endpoint descriptors, and string descriptors.
  • HID devices also include three types of descriptors: HID descriptors, report descriptors, and physical descriptors.
  • the USB registration device C is connected to the management workstation B through the USB port.
  • the USB communication data analysis module in the USB registered device C can obtain the descriptor of the USB device, that is, the registration information, and verify the descriptor of the USB device according to the USB protocol specification. Then send the descriptor of the verified USB device to the management work B through the USB communication port.
  • the management workstation B can report the registration information of the USB device to the management server A through the network, so that the management server A can uniformly manage the registration information of the USB device.
  • the management server A can be requested to obtain the registration information of the USB device, so that after the USB device is inserted into the USB access control device D and F, the registration information of the USB device is compared with the USB The descriptor of the device. If they are consistent, the USB device can communicate with the protected devices G and E; on the contrary, if they are not consistent, the USB device and the protected devices G and E may not be able to communicate.
  • the registration authorization of the USB device can be realized by software or hardware.
  • FIG. 9 shows that the registration and authorization of the USB device is realized by means of hardware.
  • the registration authorization of the USB device is realized through the cooperation between the USB registration device C and the management workstation B.
  • Figure 10 shows that the registration and authorization of the USB device is realized through the software installed in the management job B.
  • the user inserts the USB device into the USB port of the management workstation, and realizes the registration and authorization of the USB device through the USB device registration module and the USB communication data analysis module in the management work B.
  • the registration software or hardware When the USB device is registered and authorized, the registration software or hardware will read the device descriptor, configuration descriptor, interface descriptor and other information of the USB device, and record the current USB interface descriptor information according to the currently used USB device configuration descriptor.
  • This information includes: supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identifier, number of interfaces supported by configuration, interface number, interface class, interface subclass, interface protocol, etc., and based on The information generates a unique identifier as a legal mark of the USB device.
  • the USB device is a Human Interface Devices (HID), human-machine interface device, in view of the fact that there are many attacks based on the HID device class, the registration software or hardware will further collect the HID descriptor information of the HID device.
  • HID Human Interface Devices
  • the type definition of the HID device can be placed in the interface descriptor, and the USB device descriptor and configuration descriptor do not contain the information of the HID device.
  • the USB device communication data analysis module can be connected in series between the USB registration port and the USB communication port or use a data forwarding module to realize a bypass connection on the communication line between the USB registration port and the USB communication port .
  • Fig. 12 is a block diagram showing a communication control device between a USB device and a protected device according to an exemplary embodiment.
  • the communication control device 200 between a USB device and a protected device includes: a monitoring module 210 , a communication protocol type determination module 220 and a control module 230 .
  • the monitoring module 210 monitors the communication data between the USB device and the protected device after the USB device is inserted into the USB access control device and passes authentication.
  • the communication protocol type determination module 220 is configured to determine the communication protocol type of the communication data according to the USB protocol specification.
  • the control module 230 is configured to disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • the USB device access control device 200 can protect the data security of the protected device through the USB access control device externally connected to the protected device, and effectively prevent the leakage of data in the protected device without installing security protection on the protected device.
  • the software can also ensure the data security of the protected device. For example, after the USB device is inserted into the USB access control device and passed the authentication, the USB access control device monitors the communication data between the USB device and the protected device, and according to the USB protocol specification , determine the communication protocol type of the communication data between the two, and then disconnect the communication between the USB device and the protected device according to the communication protocol type of the communication data.
  • the communication control device 200 between the USB device and the protected device can be used to realize the communication control method between the USB device and the protected device described in the above embodiments.
  • Fig. 13 is a block diagram of an electronic device according to an exemplary embodiment.
  • FIG. 13 An electronic device 300 according to this embodiment of the present disclosure is described below with reference to FIG. 13 .
  • the electronic device 300 shown in FIG. 13 is only an example, and should not limit the functions and scope of use of the embodiments of the present disclosure.
  • electronic device 300 takes the form of a general-purpose computing device.
  • Components of the electronic device 300 may include, but are not limited to: at least one processing unit 310, at least one storage unit 320, a bus 330 connecting different system components (including the storage unit 320 and the processing unit 310), a display unit 340, and the like.
  • the storage unit stores program codes, and the program codes can be executed by the processing unit 310, so that the processing unit 310 executes the steps in this specification according to various exemplary embodiments of the present disclosure.
  • the processing unit 310 may execute the steps shown in FIG. 2 to FIG. 6 .
  • the storage unit 320 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 3201 and/or a cache storage unit 3202 , and may further include a read-only storage unit (ROM) 3203 .
  • RAM random access storage unit
  • ROM read-only storage unit
  • the storage unit 320 may also include a program/utility 3204 having a set (at least one) of program modules 3205, such program modules 3205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the realization of the network environment.
  • program modules 3205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the realization of the network environment.
  • Bus 330 may represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local area using any of a variety of bus structures. bus.
  • the electronic device 300 can also communicate with one or more external devices 300 (such as keyboards, pointing devices, Bluetooth devices, etc.), so that the user can communicate with the devices that the electronic device 300 interacts with, and/or the electronic device 300 can communicate with one or more Any device (eg, router, modem, etc.) that communicates with multiple other computing devices. Such communication may occur through input/output (I/O) interface 350 .
  • the electronic device 300 can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 360.
  • the network adapter 360 can communicate with other modules of the electronic device 300 through the bus 330 .
  • other hardware and/or software modules may be used in conjunction with electronic device 300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
  • the technical solution according to the embodiment of the present disclosure can be embodied in the form of a software product, and the software product can be stored in a non-volatile storage medium (which can be a CD-ROM, a U disk, a mobile hard disk, etc.) etc.) or on the network, including several instructions to make a computing device (which may be a personal computer, server, or network device, etc.) execute the above method according to the embodiments of the present disclosure.
  • a non-volatile storage medium which can be a CD-ROM, a U disk, a mobile hard disk, etc.
  • a computing device which may be a personal computer, server, or network device, etc.
  • the software product may utilize any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
  • the computer readable storage medium may include a data signal carrying readable program code in baseband or as part of a carrier wave traveling as a data signal. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • a readable storage medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transport a program for use by or in conjunction with an instruction execution system, apparatus, or device.
  • the program code contained on the readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, cable, optical cable, RF, etc., or any suitable combination of the above.
  • Program code for performing the operations of the present disclosure may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language - such as "C" or a similar programming language.
  • the program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute.
  • the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (for example, using an Internet service provider). business to connect via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service provider for example, using an Internet service provider
  • the above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the device, the computer-readable medium realizes the following functions: the USB access control device externally connected to the protected device can Protect the data security of the protected device, effectively prevent the leakage of data in the protected device, and also ensure the data security of the protected device without installing security protection software on the protected device, for example, insert the USB access control device into the USB device After passing the authentication, the USB access control device monitors the communication data between the USB device and the protected device, and according to the USB protocol specification, determines the communication protocol type of the communication data between the two, and then according to the communication protocol type of the communication data, Disconnects the communication between the USB device and the protected device.
  • modules in the above embodiments can be distributed in the device according to the description of the embodiment, and corresponding changes can also be made in one or more devices that are only different from the embodiment.
  • the modules in the above embodiments can be combined into one module, and can also be further split into multiple sub-modules.
  • the exemplary embodiments described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, server, mobile terminal, or network device, etc.) execute the method according to the embodiment of the present disclosure.
  • a non-volatile storage medium which can be CD-ROM, U disk, mobile hard disk, etc.
  • a computing device which may be a personal computer, server, mobile terminal, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Information Transfer Systems (AREA)

Abstract

本公开涉及一种USB设备与被保护设备的通信控制方法,该方法应用于USB接入控制设备,USB接入控制设备与被保护设备通过接口连接。这样通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全,有效地防止被保护设备中数据的泄露,无需在被保护设备上安装安全防护软件也可以保证被保护设备的数据安全,例如,在USB设备插入USB接入控制设备通过鉴权后,USB接入控制设备监测USB设备与被保护设备之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备与被保护设备之间的通信。

Description

USB设备与被保护设备的通信控制方法、装置及电子设备 技术领域
本公开涉及设备通信控制领域,具体而言,涉及一种USB设备与被保护设备的通信控制方法、装置、电子设备及计算机可读介质。
背景技术
近些年,计算机及网络技术获得高速发展,从而大大促进了网络的普及,当人们日益享受着网络带来的便利同时,也为生产或生活中人们所使用的计算机中的数据安全带来了新的威胁,例如常见的有恶意代码入侵、病毒/木马感染、流量攻击、黑客窃取、非授权访问、冒充合法用户、破坏数据完整性、干扰系统正常运行、利用网络传播病毒和中间人窃听等等。
目前,解决内网计算机网络数据安全问题的技术手段已有很多,例如在主机中安装和使用黑/白名单、流量控制软件、防火墙、防病毒、入侵检测系统等网络安全产品,但采取上述措施后各种网络安全事件仍频频发生。
另外,对于某些特殊设备,如配备有特殊软件控制的主机,某些工业领域的工程师站/工作员站的设备,这些主机或设备往往由于系统特殊性,市面上没有此类系统适配的安全防护软件,或是由于安装安全类软件容易导致主机原有软件出现兼容性问题,甚至性能受到影响。另外这些工程师站或工作员站的主机上线后基本不会对操作系统进行升级,即使安装安全类软件后也往往不及时更新防恶意代码软件版本和恶意代码库,起不到全面的安全防护作用。
在所述背景技术部分公开的上述信息仅用于加强对本公开的背景的理解,因此它可以包括不构成对本领域普通技术人员已知的现有技术的信息。
发明内容
有鉴于此,本公开提供一种USB设备与被保护设备的通信控制方法、装置、电子设备及计算机可读介质,能够通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全。
本公开的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本公开的实践而习得。
根据本公开的一方面,提出一种USB设备与被保护设备的通信控制方法,该方法应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该方法包括:在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据;根据USB协议规范,确定所述通信数据的通信协议类型;根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
可选地,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:根据USB协议规范,从所述通信数据中获取通信协议信息;根据所述通信协议信息,确定所述通信数据的通信协议类型为批量传输协议。
可选地,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:如果所述通信数据的通信协议类型为批量传输协议,断开所述USB设备与所述被保护设备之间的通信。
可选地,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:根据USB协议规范,从所述通信数据中获取通信协议信息;根据所述通信协议信息,确定所述通信数据的通信协议类型为同步传输协议。
可选地,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:如果所述通信数据的通信协议类型为所述同步传输协议,确定所述通信数据的数据流方向;如果所述数据流方向为从所述被保护设备到所述USB设备,断开所述USB设备与所述被保护设备之间的通信。
可选地,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:根据USB协议规范,从所述通信数据中获取通信协议信息;根据所述通信协议信息,确定所述通信数据的通信协议类型为中断传输协议。
可选地,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:如果所述通信数据的通信协议类型为所述中断传输协议,确定所述通信数据的数据流方向;如果所述数据流方向为从所述被保护设备到所述USB设备,断开所述USB设备与所述被保护设备之间的通信。
可选地,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:根据USB协议规范,从所述通信数据中获取通信协议信息;根据所述通信协议信息,确定所述通信数据的通信协议类型为自定义传输协议。
可选地,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:如果所述通信数据的通信协议类型为所述自定义传输协议,确定所述通信数据是否为不可解析数据;如果所述通信数据为所述不可解析数据,断开所述USB设备与所述被保护设备之间的通信。
可选地,该方法还包括:在断开所述USB设备与所述被保护设备之间的通信时,向所述被保护设备发送报警信息。
可选地,该方法还包括:在所述USB接入控制设备未上电前,闭合所述USB接入控制设备中部署的开关,使得所述USB设备与所述被保护设备能够正常通信;或者在所述USB接入控制设备上电后,断开所述USB接入控制设备中部署的开关,并触发所述USB设备的枚举机制。
根据本公开的一方面,提出一种USB设备与被保护设备的通信控制装置,该装置应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该装置包括:监测模块,在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据;通信协议类型确定模块,用于根据USB协议规范, 确定所述通信数据的通信协议类型;控制模块,用于根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
根据本公开的一方面,提出一种电子设备,该电子设备包括:一个或多个处理器;存储装置,用于存储一个或多个程序;当一个或多个程序被一个或多个处理器执行,使得一个或多个处理器实现如上文的方法。
根据本公开的一方面,提出一种计算机可读介质,其上存储有计算机程序,该程序被处理器执行时实现如上文中的方法。
根据本公开的USB设备与被保护设备的通信控制方法、装置、电子设备及计算机可读介质,该方法应用于USB接入控制设备,USB接入控制设备与被保护设备通过接口连接。这样通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全,有效地防止被保护设备中数据的泄露,无需在被保护设备上安装安全防护软件也可以保证被保护设备的数据安全,例如,在USB设备插入USB接入控制设备通过鉴权后,USB接入控制设备监测USB设备与被保护设备之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备与被保护设备之间的通信。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性的,并不能限制本公开。
附图说明
通过参照附图详细描述其示例实施例,本公开的上述和其它目标、特征及优点将变得更加显而易见。下面描述的附图仅仅是本公开的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是根据一示例性实施例示出的一种USB设备接入控制系统的结构示意图。
图2是根据一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
图3是根据一示例性实施例示出的USB通信数据分析模块在USB接入控制设备中具体部署的示意图。
图4是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
图5是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
图6是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
图7是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
图8是根据一示例性实施例示出的数据转发模块与USB通信数据分析模块的连接关系示意图。
图9是根据一示例性实施例示出的网络版的USB设备接入控制系统的示意图。
图10是根据一示例性实施例示出的管理工作站A部署的软件示意图。
图11是根据一示例性实施例示出的USB注册设备中USB通信数据分析模块和数据转发模块的连接关系示意图。
图12是根据一示例性实施例示出的USB设备与被保护设备的通信控制装置的框图。
图13是根据一示例性实施例示出的一种电子设备的框图。
图14是根据一示例性实施例示出的一种计算机可读介质的框图。
具体实施方式
现在将参考附图更全面地描述示例实施例。然而,示例实施例能够以多种形式实施,且不应被理解为限于在此阐述的实施例;相反,提供这些实施例使得本公开将全面和完整,并将示例实施例的构思全面地传达给本领域的技术人员。在图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。
此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施例中。在下面的描述中,提供许多具体细节从而给出对本公开的实施例的充分理解。然而,本领域技术人员将意识到,可以实践本公开的技术方案而没有特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本公开的各方面。
附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。
应理解,虽然本文中可能使用术语第一、第二、第三等来描述各种组件,但这些组件不应受这些术语限制。这些术语乃用以区分一组件与另一组件。因此,下文论述的第一组件可称为第二组件而不偏离本公开概念的教示。如本文中所使用,术语“及/或”包括相关联的列出项目中的任一个及一或多者的所有组合。
本领域技术人员可以理解,附图只是示例实施例的示意图,附图中的模块或流程并不一定是实施本公开所必须的,因此不能用于限制本公开的保护范围。
图1是根据一示例性实施例示出的一种USB设备接入控制系统的结构示意图。
如图1所示,USB设备接入控制系统100可以包括USB接入控制设备110、USB设备120和被保护设备130。其中,USB接入控制设备110部署有两个USB口,分别为USB口UA1何USB口UA2。USB口的个数可以根据实际的应用场景增加。
在本实施例中,USB接入控制设备110与USB设备120可以通过USB口UA1连接。USB接入控制设备110与被保护设备130可以通过USB口UA2连接。其中,USB接入控制设备110可以用于保护被保护设备130中数据的安全。例如,在USB设备120插入USB接入控制设备110的USB口UA1时,USB接入控制设备110可以根据USB设备120的描述符来对USB设备120进行鉴权。在USB设备120插入USB接入控制设备110通过鉴权后,USB接入控制设备110监测USB设备120与被保护设备130之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备120与被保护设备130之间的通信。
在本实施中,USB接入控制设备110可以是具有保护数据功能的安全设备。USB设备120可以是外接存储设备、外接HID设备等等。例如,外接存储设备可以是U盘、移动硬盘等等。外接HID设备可以是鼠标、键盘、手柄等等。
图2是根据一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。该方法应用于USB接入控制设备,该USB接入控制设备与被保护设备通过接口连接。
如图2所示,USB设备与被保护设备的通信控制方法可以包括步骤S210~步骤S230。
在步骤S210中,在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据。
在步骤S220中,根据USB协议规范,确定所述通信数据的通信协议类型。
在步骤S230中,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
该方法可以通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全,有效地防止被保护设备中数据的泄露,无需在被保护设备上安装安全防护软件也可以保证被保护设备的数 据安全,例如,在USB设备插入USB接入控制设备通过鉴权后,USB接入控制设备监测USB设备与被保护设备之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备与被保护设备之间的通信。
在本发明的一些实施例中,USB设备与被保护设备之间的通信数据的通信协议类型可以包括以下任意一种或多种:批量传输协议、同步传输协议、中断传输协议、自定义传输协议。
在本发明的一些实施例中,每种通信协议类型下可以包括以下事务:Setup事务、IN事务、OUT事务。所有事务的令牌包均由USB Host(例如,被保护设备)发起。USB设备的通信数据分析及异常防范的核心原则是:宽进严出,即基于USB设备接入授权的基础上,对流入被保护设备的通信数据,限定通信协议类型。例如,禁止批量传输,同步传输只允许IN事务(即USB设备到被保护设备),中断传输可以运行IN事务,OUT事务需要判断数据传输的方向(即允许USB设备到被保护设备的数据传输,禁止被保护设备到USB设备的数据传输)。
在本发明的一些实施例中,在USB设备插入USB接入控制设备时,需要对USB设备进行鉴权,当USB设备通过鉴权后,USB设备与被保护设备可以才能通信。USB设备的鉴权过程可以为:在USB设备插入USB接入控制设备时,获取USB设备的描述符,比对USB设备的描述符与USB设备的注册信息,如果USB设备的描述符与USB设备的注册信息相同,闭合USB接入控制设备中部署的开关,使得USB设备与所述被保护设备能够通信。另外,在USB设备与被保护设备通信时,还可以继续获取USB设备的描述符,并继续比对USB设备的描述符与USB设备的注册信息,如果USB设备的描述符与USB设备的注册信息不同,断开USB接入控制设备中部署的开关。
参考图3,USB接入控制设备110中可以包括接口控制模块和系统控制模块。其中,接口控制模块有三个USB口,分别是USB口UA1、USB口UA2、USB口UB。USB口UA1和USB口UA2为对外接口,USB口 UB为对内接口。对内接口UA2与被保护设备130的相应USB口UC连接。对外接口UA1用于接入一个或多个USB设备120。系统控制模块接有一个对内接口,该对内接口为USB口UD。系统控制模块的UD用于与接口控制模块的UB电性相连,控制接口控制模块上对外接口UA1所接入的外部设备的安全鉴权。
在本实施例中,接口控制模块中还部署有两个USB通信数据分析模块和两个开关。如图3所示,一个USB通信数据分析模块的一端与对外接口UA1连接,另一端与一开关的一端连接,开关的另一端与对内接口UB连接。另一个USB通信数据分析模块的一端与对外接口UA1连接,另一端与一开关的一端连接,开关的另一端与对外接口UA2连接。这样USB通信数据分析模块串接和旁路在接口控制模块的对外接口与被防护设备USB口连线上,将实时监测直连通路中的USB设备的描述符和/或通信数据,USB通信数据分析模块基于USB协议分析实现,用于分析USB设备的描述符和/或通信数据。例如,对外接口UA1与对内接口UB之间的USB通信数据分析模块用于分析USB设备120的描述符。对外接口UA1与对外接口UA2之间的USB通信数据分析模块用于USB设备120的描述符,以及分析USB设备120与被保护设备130之间的通信数据。
下面通过图4~图7的实施例具体描述根据通信协议类型来控制USB设备与被保护设备之间的通信。
图4是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
如图4所示,上述步骤S220可以包括步骤S410和步骤S420。
在步骤S410中,根据USB协议规范,从所述通信数据中获取通信协议信息。
在步骤S420中,根据所述通信协议信息,确定所述通信数据的通信协议类型为批量传输协议。
在本发明的一些实施例中,如果USB设备与被保护设备之间的通 信数据的通信协议类型为批量传输协议,断开USB设备与被保护设备之间的通信,这样可以及时保护被保护设备中数据的安全。
参考图3,在USB设备120插入USB接入控制设备110通过鉴权后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,USB设备120与被保护设备130可以通信,此时通过USB接入控制设备110中对外接口UA1与对外接口UA2之间的USB通信数据分析模块来实时检测USB设备120与被保护设备130之间的通信数据的通信协议类型,当监测到通信协议类型为批量传输协议时,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120与被保护设备130不可以通信,以此方式可以及时保护被保护设备中数据的安全。
图5是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
如图5所示,上述步骤S220可以包括步骤S510和步骤S520。
在步骤S510中,根据USB协议规范,从所述通信数据中获取通信协议信息。
在步骤S520中,根据所述通信协议信息,确定所述通信数据的通信协议类型为同步传输协议。
在本发明的一些实施例中,如果USB设备与被保护设备之间的通信数据的通信协议类型为同步传输协议,确定该通信数据的数据流方向,如果该数据流方向为从被保护设备到USB设备,断开USB设备与被保护设备之间的通信,这样可以及时保护被保护设备中数据的安全。
参考图3,在USB设备120插入USB接入控制设备110通过鉴权后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,USB设备120与被保护设备130可以通信,此时通过USB接入控制设备110中对外接口UA1与对外接口UA2之间的USB通信数据分析模块来实时检测USB设备120与被保护设备130之间的通信数据的通信协议类型,当监测到通信协议类型为同步传输协议时,判断该 通信数据的数据方向,如果该数据流方向为从被保护设备130到USB设备120,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120与被保护设备130不可以通信,以此方式可以及时保护被保护设备中数据的安全。
图6是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
如图6所示,上述步骤S220可以包括步骤S610和步骤S620。
在步骤S610中,根据USB协议规范,从所述通信数据中获取通信协议信息。
在步骤S620中,根据所述通信协议信息,确定所述通信数据的通信协议类型为中断传输协议。
在本发明的一些实施例中,如果USB设备与被保护设备之间的通信数据的通信协议类型为中断传输协议,确定通信数据的数据流方向,如果数据流方向为从被保护设备到USB设备,断开USB设备与被保护设备之间的通信,这样可以及时保护被保护设备中数据的安全。
参考图3,在USB设备120插入USB接入控制设备110通过鉴权后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,USB设备120与被保护设备130可以通信,此时通过USB接入控制设备110中对外接口UA1与对外接口UA2之间的USB通信数据分析模块来实时检测USB设备120与被保护设备130之间的通信数据的通信协议类型,当监测到通信协议类型为中断传输协议时,判断该通信数据的数据方向,如果该数据流方向为从被保护设备130到USB设备120,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120与被保护设备130不可以通信,以此方式可以及时保护被保护设备中数据的安全。
图7是根据另一示例性实施例示出的一种USB设备与被保护设备的通信控制方法的流程图。
如图7所示,上述步骤S220可以包括步骤S710和步骤S720。
在步骤S710中,根据USB协议规范,从所述通信数据中获取通 信协议信息。
在步骤S720中,根据所述通信协议信息,确定所述通信数据的通信协议类型为自定义传输协议。
在本发明的一些实施例中,如果USB设备与被保护设备之间的通信数据的通信协议类型为自定义传输协议,确定通信数据是否为不可解析数据,如果通信数据为不可解析数据,断开USB设备与被保护设备之间的通信,这样可以及时保护被保护设备中数据的安全。
参考图3,在USB设备120插入USB接入控制设备110通过鉴权后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,USB设备120与被保护设备130可以通信,此时通过USB接入控制设备110中对外接口UA1与对外接口UA2之间的USB通信数据分析模块来实时检测USB设备120与被保护设备130之间的通信数据的通信协议类型,当监测到通信协议类型为自定义传输协议时,判断该通信数据是否为不可解析数据,如果该通信数据为不可解析数据,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120与被保护设备130不可以通信,以此方式可以及时保护被保护设备中数据的安全。
基于前述实施例,该方法还包括:在断开USB设备与被保护设备之间的通信时,向被保护设备发送报警信息。参考图3,在USB接入控制设备110断开对外接口UA1与对外接口UA2之间的开关时,向被保护设备130发送报警信息,以便于提醒负责被保护设备130的相关人员。
基于前述实施例,该方法还包括:在USB接入控制设备未上电前,闭合USB接入控制设备中部署的开关,使得USB设备与被保护设备能够正常通信;或者在USB接入控制设备上电后,断开USB接入控制设备中部署的开关,并触发USB设备的枚举机制。参考图3,在USB设备120插入USB接入控制设备110,且USB接入控制设备110未上电前时,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之 间的开关,使得USB设备120与被保护设备130能够正常通信。以实现USB接入控制设备110的断电Bypass功能。相反,在USB设备120插入USB接入控制设备110,且USB接入控制设备110上电后时,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,并触发USB设备120的枚举机制,即对USB设备120进行鉴权。
通过下面实施例具体描述USB设备的枚举机制,即USB设备的鉴权过程。
参考图3,USB设备120在插入直连对外接口UA1,接通被防护设备的USB口UC,所插入的USB设备120上电,根据USB规范将进入设备识别过程,即USB设备120的枚举过程。例如,在USB设备120插入USB接入控制设备110的对外接口UA1时,USB接入控制设备110的对内接口UB与对外接口UA1之间的开关闭合,此时系统控制模块可以控制两者之间的USB通信数据分析模块来获取USB设备120的描述符,并比对USB设备120的描述符与该USB设备120的注册信息。如果USB设备120的描述符与该USB设备120的注册信息相同,闭合USB接入控制设备110中部署的开关(例如,对外接口UA1与对外接口UA2之间的开关),使得USB设备120与被保护设备130能够通信。此时USB设备120通过鉴权,USB设备120与被保护设备130能够通过通信数据进行通信,两者在通信的过程中,通过USB接入控制设备110的对外接口UA1与对外接口UA2之间的USB通信数据分析模块来监测USB设备120与被保护设备130之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,控制两者之间的通信,例如,断开USB设备120与被保护设备130之间的通信,这样通过外接在被保护设备130的USB接入控制设备110实现保护被保护设备130的数据安全,有效地防止被保护设备130中数据的泄露,无需在被保护设备130上安装安全防护软件也可以保证被保护设备的数据安全。
另外,在本发明实施例中,在USB设备120与被保护设备130通信时,还需要通过USB接入控制设备110的对外接口UA1与对外接口 UA2之间的USB通信数据分析模块继续获取该USB设备120的描述符,继续比对USB设备120的描述符与该USB设备120的注册信息,如果USB设备120的描述符与USB设备120的注册信息不同,断开USB接入控制设备中部署的开关(例如,对外接口UA1与对外接口UA2之间的开关),此时USB设备120与被保护设备130不能通信,这样也可以实现保护被保护设备130的数据安全。
具体地,USB设备120在插入USB接入控制设备设备110的UA1后,通过USB接入控制设备110内部连线接通被保护设备130上对应的USB口,所插入的USB设备120上电,根据USB规范将进入设备识别过程,即USB设备120的第一次枚举过程。当第一次枚举通过后,还需要继续通过USB通信数据分析模块可以实时获得USB设备120与被保护设备130之间的通信数据,运行与主控板上的USB通信数据分析模块将实时分析USB设备120与被保护设备130之间的通信数据,提取枚举过程中的描述符(例如,供应商ID、产品标识码(PID)及序列号信息、配置数、当前使用的配置标识、配置支持的接口数、接口编号、接口类、接口子类、接口协议等),和注册信息进行对比匹配,如果发现不一致,断开USB设备120与被保护设备130之间的通信,并发出告警信息。
在本发明的一些实施例中,上述USB设备120的描述符可以包括以下任意一项或多项:设备描述符、配置描述符、接口描述符、HID描述符。
根据USB协议规范,一个USB设备120只有一个设备描述符,设备描述符包括如下表1。
表1
Figure PCTCN2022130164-appb-000001
Figure PCTCN2022130164-appb-000002
根据USB协议规范,USB设备120可以至少有一个或者多个配置描述符,上述设备描述符的最后一项bNumConfigurations中对配置描述符数量做了限定,例如,USB设备120当前选择其中一种配置,配置描述符信息如表2所示,其中bConfigurationValue就是当前配置的标识。
表2
Figure PCTCN2022130164-appb-000003
上述接口描述符可以用于描述上述当前配置下的接口情况。例如, 单一功能的USB设备120有一个接口,例如,U盘。复合功能的USB设备120有多个接口,例如,鼠标和键盘一体的复合设备,其中一个接口对应于一种功能。一个USB设备120可以有多个配置,但是当前只能选择一种配置。当设备描述符设备类型bDeviceClass为0时,也就是指示用接口描述符来标识类别,此时用接口类、接口子类、接口协议来说明USB设备120此功能所属的类别。
在本发明的一些实施例中,上述获取USB设备的描述符可以包括向USB设备发送Get_Descriptor控制包;接收USB设备根述Get_Descriptor控制包确定的设备描述符。这样可以通过向USB设备发送USB命令(例如,Get_Descriptor控制包)来请求获取该USB设备的设备描述符,以使得USB接入控制设备可以快速的获取该USB设备的设备描述符。
参考图3,在USB设备120插入USB接入控制设备110的对外接口UA1时,系统控制模块控制对内接口UB与对外接口UA1之间的USB通信数据分析模块来获取USB设备120的设备描述符,并基于设备描述符确定是否闭合或断开USB接入控制设备110中部署的开关。具体地,在USB设备120插入USB接入控制设备110的对外接口UA1时,通过对内接口UB与对外接口UA1之间的USB通信数据分析模块向该USB设备120发送Get_Descriptor控制包,该USB设备120基于该控制包向USB通信数据分析模返回其设备描述符,例如,返回设备描述符中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString等等。在这种情况下,USB通信数据分析模块可以基于事先获取的该USB设备120的注册信息与当前获取的设备描述符进行比对,以此方式对USB设备120进行第一次枚举。
例如,比对USB设备120的描述符与USB设备120的注册信息包括:比对设备描述符中的bDeviceClass与注册信息中的bDeviceClass是否相同;比对设备描述符中的bDeviceSubClass与 注册信息中的bDeviceSubClass是否相同;比对设备描述符中的bDeviceProtocol与注册信息中的bDeviceProtocol是否相同;比对设备描述符中的bLength与注册信息中的bLength是否相同;比对设备描述符中的bDescriptorType与注册信息中bDescriptorType是否相同;以及比对设备描述符中的bString与注册信息中bString是否相同。
在本发明的一些实施例中,如果设备描述符中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString与注册信息中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString对应相同,闭合USB接入控制设备110中部署的开关。例如,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。
在本发明的一些实施例中,如果设备描述符中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString与注册信息中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString存在任意一项不同,断开USB接入控制设备110中部署的开关。例如,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。需要说明的是,如果USB设备120的描述符中的设备描述符与注册信息中的设备描述符不同,且USB接入控制设备110中的开关本身状态为断开状态,那么此时继续让其保持断开状态即可。
在本发明的一些实施例中,上述获取USB设备的描述符还可以包括向所述USB设备发送Get_Descriptor_Configuration控制包;在步骤S520中,接收所述USB设备根据所述Get_Descriptor_Configuration控制包确定的配置描述符。这样通过向USB设备发送USB命令(例如,Get_Descriptor_Configuration控制包)来请求获取该USB设备的配置描述符,以使得USB接入控制设备可以快速的获取该USB设备的配置描述符。
参考图3,在USB设备120插入USB接入控制设备110的对外接口UA1时,系统控制模块控制对内接口UB与对外接口UA1之间的USB通信数据分析模块来获取USB设备120的配置描述符,并基于配置描述符确定是否闭合或断开USB接入控制设备110中部署的开关。具体地,在USB设备120插入USB接入控制设备110的对外接口UA1时,通过对内接口UB与对外接口UA1之间的USB通信数据分析模块向该USB设备120发送Get_Descriptor_Configuration控制包,该USB设备120基于该控制包向USB通信数据分析模返回其配置描述符,例如,返回配置描述符中的bNumInterfaces、bConfigurationValue、以及wTotalLength等等。在这种情况下,USB通信数据分析模块可以基于事先获取的该USB设备120的注册信息与当前获取的配置描述符进行比对,以此方式对USB设备120进行第一次枚举。
例如,比对USB设备120的描述符与USB设备120的注册信息包括:比对配置描述符中的bNumInterfaces与注册信息中的bNumInterfaces是否相同;比对配置描述符中的bConfigurationValue与注册信息中的bConfigurationValue是否相同;以及比对配置描述符中的wTotalLength与注册信息中的wTotalLength是否相同。
在本发明的一些实施例中,如果配置描述符中的bNumInterfaces、bConfigurationValue、以及wTotalLength与注册信息中的bNumInterfaces、bConfigurationValue、以及wTotalLengthl对应相同,闭合USB接入控制设备110的开关。例如,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。
在本发明的一些实施例中,如果配置描述符中的bNumInterfaces、bConfigurationValue、以及wTotalLength与注册信息中的bNumInterfaces、bConfigurationValue、以及wTotalLength存在任意一项不同,断开USB接入控制设备110的开关。例如,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。需要说明的是,如果USB设备120的描述符中的配置描述符与注册信息中 的配置描述符不同,且USB接入控制设备110中的开关本身状态为断开状态,那么此时继续让其保持断开状态即可。
在本发明的一些实施例中,上述获取USB设备的描述符还可以包括向所述USB设备发送Get_Descriptor_Configuration控制包;接收所述USB设备根据所述Get_Descriptor_Configuration控制包确定的接口描述符。这样通过向USB设备发送USB命令(例如,Get_Descriptor_Configuration控制包)来请求获取该USB设备的接口描述符,以使得USB接入控制设备可以快速的获取该USB设备的接口描述符。
参考图3,在USB设备120插入USB接入控制设备110的对外接口UA1时,系统控制模块控制对内接口UB与对外接口UA1之间的USB通信数据分析模块来获取USB设备120的接口描述符,并基于接口描述符确定是否闭合或断开USB接入控制设备110中部署的开关。具体地,在USB设备120插入USB接入控制设备110的对外接口UA1时,通过对内接口UB与对外接口UA1之间的USB通信数据分析模块向该USB设备120发送Get_Descriptor_Configuration控制包,该USB设备120基于该控制包向USB通信数据分析模返回其接口描述符,例如,返回接口描述符中的bInterfaceNumber、bInterfaceClass、bDeviceSubClass、以及bInterfaceProtocol等等。在这种情况下,USB通信数据分析模块可以基于事先获取的该USB设备120的注册信息与当前获取的接口描述符进行比对,以此方式对USB设备120进行第一次枚举。
例如,比对USB设备120的描述符与USB设备120的注册信息包括:比对接口描述符中的bInterfaceNumber与注册信息中的bInterfaceNumber是否相同;比对接口描述符中的bInterfaceClass与注册信息中的bInterfaceClass是否相同;比对接口描述符中的bInterfaceSubClass与注册信息中的bInterfaceSubClass是否相同;以及比对接口描述符中的bInterfaceProtocol与注册信息中的bInterfaceProtocol是否相 同。
在本发明的一些实施例中,如果USB设备120的描述符与USB设备120的注册信息相同,闭合USB接入控制设备110中部署的开关包括:如果接口描述符中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol与注册信息中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol对应相同,闭合USB接入控制设备110中部署的开关。例如,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。
在本发明的一些实施例中,如果USB设备120的描述符与USB设备120的注册信息不同,断开USB接入控制设备110中部署的开关包括:如果接口描述符中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol与注册信息中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol存在任意一项不同,断开USB接入控制设备110中部署的开关。例如,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。需要说明的是,如果USB设备120的描述符中的接口描述符与注册信息中的接口描述符不同,且USB接入控制设备110中的开关本身状态为断开状态,那么此时继续让其保持断开状态即可。
上述实施例描述了USB设备的描述符可以是设备描述符、或配置描述符、或接口描述符。需要说明的是,本发明中的USB设备的描述符可以包括设备描述符、配置描述符、和接口描述符。参考图3所述,在USB设备120插入USB接入控制设备110的对外接口UA1时,通过USB接入控制设备110中的对外接口UA1与对内接口UB之间的USB通信数据分析模块来获取USB设备120的设备描述符、配置描述符、和接口描述符。例如,向USB设备120发送USB命令,该USB设备120根据相应的USB命令返回设备描述符、配置描述符、和接口描述符。然后USB通信数据分析模块基于USB设备120的注册信息中的设 备描述符、配置描述符、和接口描述符,与设备描述符、配置描述符、和接口描述符进行比对,即为USB设备120的第一次枚举。如果USB设备120的描述符中的设备描述符、配置描述符、以及接口描述符与注册信息中的设备描述符、配置描述符、以及接口描述符对应相同,闭合USB接入控制设备110中部署的开关。例如闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。相反,如果USB设备的描述符中的设备描述符、配置描述符、以及接口描述符与注册信息中的设备描述符、配置描述符、以及接口描述符存在任意一项不同,断开USB接入控制设备110中部署的开关。例如,断开USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关。需要说明的是,如果USB设备120的描述符中的设备描述符、配置描述符、以及接口描述符与注册信息中的设备描述符、配置描述符、以及接口描述符存在任意一项不同,且USB接入控制设备110中的开关本身状态为断开状态,那么此时继续让其保持断开状态即可。
基于上述实施例的技术方案,如果USB设备120为HID设备,即Human Interface Devices(HID),人机接口类设备。该USB设备120的描述符除了可以包括上述设备描述符、配置描述符、以及接口描述符之外,还可以包括HID描述符。如果USB设备120的描述符中的设备描述符、配置描述符、接口描述符、以及HID描述符与注册信息中的设备描述符、配置描述符、接口描述符、以及HID描述符对应相同,闭合USB接入控制设备110中部署的开关。相反,如果USB设备120的描述符中的设备描述符、配置描述符、接口描述符、以及HID描述符与注册信息中的设备描述符、配置描述符、接口描述符、以及HID描述符存在任意一项不同,断开USB接入控制设备110中部署的开关。需要说明的是,如果USB设备120的描述符中的设备描述符、配置描述符、以及接口描述符与注册信息中的设备描述符、配置描述符、以及接口描述符存在任意一项不同,且USB接入控制设备110中的开关本身状态为断开状态,那么此时继续让其保持断开状态即可。
参考图3,当USB设备120的第一次枚举通过后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120可以与被保护设备130通信。但是由于存在用户在使用USB设备120过程中,通过USB设备120隐藏功能改变USB设备120功能的可能,例如开启隐藏存储区域、激活存储功能等行为,此类操作导致USB设备120的描述符发生改变,此时触发USB设备120的再次枚举,为防范用户使用过程中开启USB设备120的其他功能,USB通信数据分析模块通过实时分析UA1与UA2间USB通信数据,在USB设备120通过鉴权后,在USB设备120使用过程中如发现再次枚举信息,将断开UA1与UA2间通信并触发告警。例如,当USB设备120的第一次枚举通过后,闭合USB接入控制设备110中对外接口UA1与对外接口UA2之间的开关,此时USB设备120可以与被保护设备130通信。在两者通信的过程中,还需要通过USB接入控制设备110中对外接口UA1与对外接口UA2之间USB通信数据分析模块实时获取USB设备120的描述符,当监测到USB设备120的描述符被修改时,断开对外接口UA1与对外接口UA2之间的开关。并对USB设备进行第二次枚举,这样可以防止用户在实际使用中,开启USB设备120存储或非授权功能,躲避数据安全监管,从而造成被防护设备110上数据泄露的行为,以此方式可以加强对被保护设备110的保护。
通过本发明提供的方法可以实现对被保护设备130的各个接口的接管,确保使用被保护设备130的USB接口或串口设备可以通过外接式终端防护设备(即USB接入控制设备110)完成,从而无需在被保护设备130上安装安全防护软件即可到达对被保护设备130的USB接口或串口进行防护的目的。例如,当使用USB设备120时,USB接入控制设备110将比对USB设备120的描述符信息与该USB设备120的注册信息,如果对比结果为不同,将禁止USB设备120接入,终止该USB设备120使用。
参考图3,USB接入控制设备110内的USB通信数据分析模块可以串接在用户插入的USB设备120与被保护设备130,以及USB设备 120与USB接入控制设备110内系统控制模块之间。参考图8,通过数据转发模块实现通信数据转发使得USB通信数据分析模块可以旁路在用户插入的USB设备120与被保护设备130上,以及USB接入控制设备110内系统控制模块之间。用户插入的USB设备120与被保护设备130之间存在开关,例如,程控电子开关,可由控制程序控制用户插入的USB设备120与被保护设备130之间的通断。USB接入控制设备110可通过网口与控制中心连接,以实现统一化管理,也可无需控制中心,单机独立运行。
参考图9,USB设备在使用前需要进行注册,即进行设备授权。传统设备授权,只是针对USB设备的供应商ID(VID)、产品识别码(PID)及序列号信息,但是由于供应商ID、产品标识码(PID)及序列号信息存在篡改可能,此类注册无法防范用户使用USB设备通过注册审核后,通过修改USB设备固件信息,使恶意USB设备的供应商ID、产品标识码(PID)及序列号与合法USB注册设备信息一致的情况。针对上述情况,本发明中的注册过程是获得USB设备的描述符信息,以确认USB设备的访问方式,并加载相应驱动程序。USB描述符有设备描述符、配置描述符、接口描述符、端点描述符、字符串描述符,HID设备还包括HID描述符、报告描述符、物理描述符三种描述符等等。
具体地,在USB设备插入USB接入控制设备D、F前,需要将其插入USB注册设备C的USB注册口UA进行注册授权。USB注册设备C与管理工作站B通过USB口连接。例如,在USB设备插入USB注册设备C时,可以通过USB注册设备C中的USB通信数据分析模块获取该USB设备的描述符,即注册信息,并根据USB协议规范,核验USB设备的描述符。然后通过USB通信口将通过核验的USB设备的描述符发送至管理工作B。管理工作站B可以通过网络将USB设备的注册信息上报至管理服务器A,这样可以由管理服务器A对USB设备的注册信息进行统一管理。在USB设备插入USB接入控制设备D、F可以向管理服务器A请求获取USB设备的注册信息,这样便于在USB设备插入 USB接入控制设备D、F后,比对USB设备的注册信息与USB设备的描述符。如果一致,USB设备与被保护设备G、E可以通信,相反,如果不一致,USB设备与被保护设备G、E可以不能通信。
在本发明的实施例中,USB设备的注册授权可以采用软件或硬件方式实现。图9示出的是通过硬件方式实现USB设备的注册授权。例如,通过USB注册设备C和管理工作站B之间的配合实现USB设备的注册授权。图10示出的是通过安装在管理工作B的软件来实现USB设备的注册授权。例如,用户将USB设备插入管理工作站的USB口,通过管理工作B中的USB设备注册模块和USB通信数据分析模块来实现USB设备的注册授权。
USB设备在注册授权时,注册软件或硬件将读取USB设备的设备描述符、配置描述符、接口描述符等信息,并根据当前使用的USB设备配置描述符,记录当前USB接口描述符信息。该信息包括:供应商ID、产品标识码(PID)及序列号信息、配置数、当前使用的配置标识、配置支持的接口数、接口编号、接口类、接口子类、接口协议等,并基于这些信息生成唯一性标识,作为USB设备合法性标记。
如果USB设备为Human Interface Devices(HID),人机接口类设备,鉴于当前基于HID设备类的攻击行为较多,注册软件或硬件将进一步采集HID设备的HID描述符信息。根据USB协议规范,HID设备的类型定义可以放置在接口描述符中,USB的设备描述符和配置描述符中不包含HID设备的信息。
参考图9和图11,USB设通信数据分析模块可以采用串接方式连接在USB注册口与USB通信口之间或采用数据转发模块在USB注册口与USB通信口之间通信线路上实现旁路连接。
本领域技术人员可以理解实现上述实施例的全部或部分步骤被实现为由CPU执行的计算机程序。在该计算机程序被CPU执行时,执行本公开提供的上述方法所限定的上述功能。所述的程序可以存储于一种计算机可读存储介质中,该存储介质可以是只读存储器,磁盘或光盘等。
此外,需要注意的是,上述附图仅是根据本公开示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。
下述为本公开装置实施例,可以用于执行本公开方法实施例。对于本公开装置实施例中未披露的细节,请参照本公开方法实施例。
图12是根据一示例性实施例示出的一种USB设备与被保护设备的通信控制装置的框图。
如图12所示,USB设备与被保护设备的通信控制装置200包括:监测模块210、通信协议类型确定模块220和控制模块230。
具体地,监测模块210,在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据。
通信协议类型确定模块220,用于根据USB协议规范,确定所述通信数据的通信协议类型。
控制模块230,用于根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
该USB设备接入控制装置200可以通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全,有效地防止被保护设备中数据的泄露,无需在被保护设备上安装安全防护软件也可以保证被保护设备的数据安全,例如,在USB设备插入USB接入控制设备通过鉴权后,USB接入控制设备监测USB设备与被保护设备之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备与被保护设备之间的通信。
根据本发明的实施例,该USB设备与被保护设备的通信控制装置200可以用于实现上述实施例描述的USB设备与被保护设备的通信 控制方法。
图13是根据一示例性实施例示出的一种电子设备的框图。
下面参照图13来描述根据本公开的这种实施方式的电子设备300。图13显示的电子设备300仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。
如图13所示,电子设备300以通用计算设备的形式表现。电子设备300的组件可以包括但不限于:至少一个处理单元310、至少一个存储单元320、连接不同系统组件(包括存储单元320和处理单元310)的总线330、显示单元340等。
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元310执行,使得所述处理单元310执行本说明书中的根据本公开各种示例性实施方式的步骤。例如,所述处理单元310可以执行如图2~图6中所示的步骤。
所述存储单元320可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)3201和/或高速缓存存储单元3202,还可以进一步包括只读存储单元(ROM)3203。
所述存储单元320还可以包括具有一组(至少一个)程序模块3205的程序/实用工具3204,这样的程序模块3205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。
总线330可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。
电子设备300也可以与一个或多个外部设备300(例如键盘、指向设备、蓝牙设备等)通信,使得用户能与该电子设备300交互的设备通信,和/或该电子设备300能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口350进行。并且,电子设备300还可以通过网络适配器360与一个或者多个网络(例如局域网(LAN),广域 网(WAN)和/或公共网络,例如因特网)通信。网络适配器360可以通过总线330与电子设备300的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备300使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,如图14所示,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、或者网络设备等)执行根据本公开实施方式的上述方法。
所述软件产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。
所述计算机可读存储介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读存储介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。可读存储介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。
可以以一种或多种程序设计语言的任意组合来编写用于执行本 公开操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。
上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被一个该设备执行时,使得该计算机可读介质实现如下功能:通过外接在被保护设备的USB接入控制设备可以保护被保护设备的数据安全,有效地防止被保护设备中数据的泄露,无需在被保护设备上安装安全防护软件也可以保证被保护设备的数据安全,例如,在USB设备插入USB接入控制设备通过鉴权后,USB接入控制设备监测USB设备与被保护设备之间的通信数据,并根据USB协议规范,确定两者之间通信数据的通信协议类型,然后根据通信数据的通信协议类型,断开USB设备与被保护设备之间的通信。
本领域技术人员可以理解上述各模块可以按照实施例的描述分布于装置中,也可以进行相应变化唯一不同于本实施例的一个或多个装置中。上述实施例的模块可以合并为一个模块,也可以进一步拆分成多个子模块。
通过以上的实施例的描述,本领域的技术人员易于理解,这里描述的示例实施例可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施例的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施例的方法。
以上具体地示出和描述了本公开的示例性实施例。应可理解的是,本公开不限于这里描述的详细结构、设置方式或实现方法;相反,本公开意图涵盖包含在所附权利要求的精神和范围内的各种修改和等效设置。

Claims (14)

  1. 一种USB设备与被保护设备的通信控制方法,其中,该方法应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该方法包括:
    在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据;
    根据USB协议规范,确定所述通信数据的通信协议类型;
    根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
  2. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:
    根据USB协议规范,从所述通信数据中获取通信协议信息;
    根据所述通信协议信息,确定所述通信数据的通信协议类型为批量传输协议。
  3. 如权利要求2所述的USB设备与被保护设备的通信控制方法,其中,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:
    如果所述通信数据的通信协议类型为批量传输协议,断开所述USB设备与所述被保护设备之间的通信。
  4. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:
    根据USB协议规范,从所述通信数据中获取通信协议信息;
    根据所述通信协议信息,确定所述通信数据的通信协议类型为同步传输协议。
  5. 如权利要求4所述的USB设备与被保护设备的通信控制方法,其中,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:
    如果所述通信数据的通信协议类型为所述同步传输协议,确定所述通信数据的数据流方向;
    如果所述数据流方向为从所述被保护设备到所述USB设备,断开所述USB设备与所述被保护设备之间的通信。
  6. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:
    根据USB协议规范,从所述通信数据中获取通信协议信息;
    根据所述通信协议信息,确定所述通信数据的通信协议类型为中断传输协议。
  7. 如权利要求6所述的USB设备与被保护设备的通信控制方法,其中,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:
    如果所述通信数据的通信协议类型为所述中断传输协议,确定所述通信数据的数据流方向;
    如果所述数据流方向为从所述被保护设备到所述USB设备,断开所述USB设备与所述被保护设备之间的通信。
  8. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,根据所述USB协议规范,确定所述通信数据的通信协议类型包括:
    根据USB协议规范,从所述通信数据中获取通信协议信息;
    根据所述通信协议信息,确定所述通信数据的通信协议类型为自定义传输协议。
  9. 如权利要求8所述的USB设备与被保护设备的通信控制方法,其中,根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信包括:
    如果所述通信数据的通信协议类型为所述自定义传输协议,确定所述通信数据是否为不可解析数据;
    如果所述通信数据为所述不可解析数据,断开所述USB设备与所述被保护设备之间的通信。
  10. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,该方法还包括:
    在断开所述USB设备与所述被保护设备之间的通信时,向所述被保 护设备发送报警信息。
  11. 如权利要求1所述的USB设备与被保护设备的通信控制方法,其中,该方法还包括:
    在所述USB接入控制设备未上电前,闭合所述USB接入控制设备中部署的开关,使得所述USB设备与所述被保护设备能够正常通信;或者
    在所述USB接入控制设备上电后,断开所述USB接入控制设备中部署的开关,并触发所述USB设备的枚举机制。
  12. 一种USB设备与被保护设备的通信控制装置,其中,该装置应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该装置包括:
    监测模块,在所述USB设备插入所述USB接入控制设备通过鉴权后,监测所述USB设备与所述被保护设备之间的通信数据;
    通信协议类型确定模块,用于根据USB协议规范,确定所述通信数据的通信协议类型;
    控制模块,用于根据所述通信数据的通信协议类型,断开所述USB设备与所述被保护设备之间的通信。
  13. 一种电子设备,包括:
    一个或多个处理器;
    存储装置,用于存储一个或多个程序;
    当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-11中任一项所述的方法。
  14. 一种计算机可读介质,其上存储有计算机程序,所述程序被处理器执行时实现如权利要求1-11中任一项所述的方法。
PCT/CN2022/130164 2021-11-30 2022-11-06 Usb设备与被保护设备的通信控制方法、装置及电子设备 WO2023098407A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111443682.X 2021-11-30
CN202111443682.XA CN114186293A (zh) 2021-11-30 2021-11-30 Usb设备与被保护设备的通信控制方法、装置及电子设备

Publications (1)

Publication Number Publication Date
WO2023098407A1 true WO2023098407A1 (zh) 2023-06-08

Family

ID=80541809

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/130164 WO2023098407A1 (zh) 2021-11-30 2022-11-06 Usb设备与被保护设备的通信控制方法、装置及电子设备

Country Status (2)

Country Link
CN (1) CN114186293A (zh)
WO (1) WO2023098407A1 (zh)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114186293A (zh) * 2021-11-30 2022-03-15 北京博衍思创信息科技有限公司 Usb设备与被保护设备的通信控制方法、装置及电子设备
CN115203686A (zh) * 2022-07-11 2022-10-18 北京博衍思创信息科技有限公司 基于接口检测的外接式防护设备和方法

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102760104A (zh) * 2012-06-25 2012-10-31 成都卫士通信息产业股份有限公司 一种usb设备控制方法
CN105978871A (zh) * 2016-05-09 2016-09-28 北京航天数控系统有限公司 一种针对数控系统的通信防护设备
CN109543475A (zh) * 2018-10-29 2019-03-29 北京博衍思创信息科技有限公司 一种外接式终端防护设备及防护系统
CN111859434A (zh) * 2020-07-28 2020-10-30 北京中科麒麟信息工程有限责任公司 一种提供保密文件传输的外接式终端防护设备及防护系统
CN112069555A (zh) * 2020-08-13 2020-12-11 中国电子科技集团公司第三十研究所 一种基于双硬盘冷切换运行的安全计算机架构
CN113179330A (zh) * 2021-05-25 2021-07-27 浙江浙大西投脑机智能科技有限公司 一种兼容多种硬件接口规范及硬件通信协议的外部设备连接管理系统
CN114186293A (zh) * 2021-11-30 2022-03-15 北京博衍思创信息科技有限公司 Usb设备与被保护设备的通信控制方法、装置及电子设备

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102760104A (zh) * 2012-06-25 2012-10-31 成都卫士通信息产业股份有限公司 一种usb设备控制方法
CN105978871A (zh) * 2016-05-09 2016-09-28 北京航天数控系统有限公司 一种针对数控系统的通信防护设备
CN109543475A (zh) * 2018-10-29 2019-03-29 北京博衍思创信息科技有限公司 一种外接式终端防护设备及防护系统
CN111859434A (zh) * 2020-07-28 2020-10-30 北京中科麒麟信息工程有限责任公司 一种提供保密文件传输的外接式终端防护设备及防护系统
CN112069555A (zh) * 2020-08-13 2020-12-11 中国电子科技集团公司第三十研究所 一种基于双硬盘冷切换运行的安全计算机架构
CN113179330A (zh) * 2021-05-25 2021-07-27 浙江浙大西投脑机智能科技有限公司 一种兼容多种硬件接口规范及硬件通信协议的外部设备连接管理系统
CN114186293A (zh) * 2021-11-30 2022-03-15 北京博衍思创信息科技有限公司 Usb设备与被保护设备的通信控制方法、装置及电子设备

Also Published As

Publication number Publication date
CN114186293A (zh) 2022-03-15

Similar Documents

Publication Publication Date Title
WO2023098407A1 (zh) Usb设备与被保护设备的通信控制方法、装置及电子设备
WO2023098406A1 (zh) Usb设备接入控制方法、装置及电子设备
US10678913B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
JP7029000B2 (ja) 外付け端末保護デバイス及び保護システム
US11544416B2 (en) System and method for securing a computer system from threats introduced by USB devices
CN103023867B (zh) 用于动态配置网络安全设置的便携式安全设备和方法
US7464158B2 (en) Secure initialization of intrusion detection system
US7401230B2 (en) Secure virtual machine monitor to tear down a secure execution environment
US8154987B2 (en) Self-isolating and self-healing networked devices
US8838812B2 (en) Network security enhancement methods, apparatuses, system, media, signals and computer programs
US20140337558A1 (en) Mediating communication of a universal serial bus device
US10896266B1 (en) Computer hardware attestation
US8566934B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
AU2008100700B4 (en) REAPP computer security system and methodology
US10523427B2 (en) Systems and methods for management controller management of key encryption key
WO2013117148A1 (zh) 检测远程入侵计算机行为的方法及系统
CN105610839A (zh) 一种终端接入网络的控制方法及装置
WO2024012135A1 (zh) 基于接口检测的外接式防护设备和方法
US20080184368A1 (en) Preventing False Positive Detections in an Intrusion Detection System
CN111898167A (zh) 包括身份信息验证的外接式终端防护设备及防护系统
EP3044721B1 (en) Automatic pairing of io devices with hardware secure elements
Sun et al. Analysis and prevention of information security of USB
CN114978782A (zh) 工控威胁检测方法、装置、工控设备以及存储介质
AU2019255300B2 (en) Anti-virus device for industrial control systems
CN114556343A (zh) 经由物理接口的基板管理控制器固件的安全安装

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22900212

Country of ref document: EP

Kind code of ref document: A1