技术领域Technical Field
本发明属于物联网安全防护技术领域,尤其涉及一种显性加隐性的物联网终端设备特征识别装置和方法。The present invention belongs to the technical field of Internet of Things security protection, and in particular, relates to an explicit and implicit feature recognition device and method for Internet of Things terminal equipment.
背景技术Background technique
随着物联网设备的普及和物联网应用的日益丰富,更多关键行业都在利用物联网终端实现物与物、物与人之间信息交流,并将海量物联网终端采集的数据汇聚到数据中心进行分析处理以发挥更大功效。与此同时,数量巨大的物联网终端设备也给攻击者提供了便利,通过假冒物联网终端就可以接入用户网络并直达数据中心,篡改、破坏,或带来重大安全问题。因此,需要建立完善的物联网设备身份识别机制,确保终端准入受控、数据安全可靠。With the popularization of IoT devices and the increasing richness of IoT applications, more key industries are using IoT terminals to achieve information exchange between things and between things and people, and to aggregate the data collected by massive IoT terminals to data centers for analysis and processing to achieve greater effectiveness. At the same time, the huge number of IoT terminal devices also provides convenience for attackers. By impersonating IoT terminals, they can access user networks and directly reach data centers, tamper with, destroy, or cause major security problems. Therefore, it is necessary to establish a complete IoT device identity recognition mechanism to ensure that terminal access is controlled and data is secure and reliable.
传统的物联网终端身份鉴别方法主要有两种,一是基于终端或网络基本信息进行鉴别,这种方法通过收集和分析物联网终端的设备编号、二维码、IP地址、通信端口号、MAC地址等进行身份鉴别;二是基于密码机制进行鉴别,这种方法使用对称密钥或公私钥对进行身份验证。上述方法各有优缺点,主要体现在:There are two main methods for traditional IoT terminal identity authentication. The first is based on the basic information of the terminal or network. This method collects and analyzes the device number, QR code, IP address, communication port number, MAC address, etc. of the IoT terminal for identity authentication; the second is based on the password mechanism. This method uses a symmetric key or a public-private key pair for identity authentication. The above methods have their own advantages and disadvantages, which are mainly reflected in:
(1)方法一存在被假冒的可能性,攻击者只需要获取到合法物联网终端的相关信息就可以模仿合法终端接入到网络中,并顺利通过身份鉴别;(1) Method 1 has the possibility of being impersonated. An attacker only needs to obtain relevant information of a legitimate IoT terminal to imitate the legitimate terminal to access the network and successfully pass identity authentication.
(2)方法二将物联网终端的身份信息进行了加密处理,可以保证数据发送的权限和数据接收的安全,但是需要对物联网终端进行定制改造,增加终端功耗和成本,应用于小批量或特定物联网设备管理中是可行的,但不适用于目前市面上大量的传感器类哑终端。(2) Method 2 encrypts the identity information of the IoT terminal, which can ensure the authority to send data and the security of data receiving. However, it requires customization of the IoT terminal, which increases the power consumption and cost of the terminal. It is feasible for small batch or specific IoT device management, but it is not suitable for the large number of sensor-type dumb terminals currently on the market.
发明内容Summary of the invention
本发明的目的在于,为克服现有技术缺陷,提供了一种显性加隐性的物联网终端设备特征识别装置和方法, 改进了物联网终端的身份鉴别机制,在无需对物联网终端进行定制改造的前提下提升对假冒终端的识别能力。The purpose of the present invention is to provide an explicit and implicit IoT terminal device feature recognition device and method to overcome the defects of the prior art, improve the identity authentication mechanism of IoT terminals, and enhance the ability to identify counterfeit terminals without customizing and modifying IoT terminals.
本发明目的通过下述技术方案来实现:The object of the present invention is achieved through the following technical solutions:
一种显性加隐性的物联网终端设备特征识别装置,所述装置包括:An explicit and implicit feature recognition device for an Internet of Things terminal device, the device comprising:
数据预处理单元,所述数据预处理单元接收从网络上收到的来自物联网终端的数据,将上报的传感信息净荷转发至身份判决单元,提取数据来源的显性终端特征并传输至特征匹配单元,同时将用于本次传输的物理信号和网络传输信息转发给特征提取单元;A data preprocessing unit, which receives data from the IoT terminal on the network, forwards the reported sensor information payload to the identity determination unit, extracts explicit terminal features of the data source and transmits them to the feature matching unit, and forwards the physical signal and network transmission information used for this transmission to the feature extraction unit;
特征提取单元,所述特征提取单元从物理信号和网络传输信息中提取隐性终端特征,通过学习积累形成所述物联网终端的隐性特征并登记入特征库;A feature extraction unit, wherein the feature extraction unit extracts implicit terminal features from physical signals and network transmission information, forms implicit features of the IoT terminal through learning and accumulation, and registers the implicit features into a feature library;
特征匹配单元,所述特征匹配单元根据接收到的终端特征与终端特征库中存储的信息进行比对,并将比对结果通知身份判决单元;A feature matching unit, which compares the received terminal features with the information stored in the terminal feature library and notifies the identity determination unit of the comparison result;
身份判决单元,所述身份判决单元根据特征匹配结果以及配置的安全策略对物联网终端的身份合法性进行判决,当判决合法时将终端鉴别结果反馈特征提取单元并将所述信息净荷发送至数据上报单元,否则将终端鉴别结果反馈特征提取单元并丢弃缓存的上报数据;An identity determination unit, which determines the legitimacy of the identity of the IoT terminal according to the feature matching result and the configured security policy, and when the determination is legal, feeds back the terminal identification result to the feature extraction unit and sends the information payload to the data reporting unit; otherwise, feeds back the terminal identification result to the feature extraction unit and discards the cached reporting data;
数据上报单元,所述数据上报单元转发所述信息净荷到后端;A data reporting unit, the data reporting unit forwarding the information payload to a back end;
终端特征库,所述终端特征库用于存储物联网终端设备特征;A terminal feature library, which is used to store features of IoT terminal devices;
策略库,所述策略库用于保存后端下发的安全策略。The policy library is used to store the security policies issued by the backend.
进一步的,所述装置还包括告警单元,当所述身份判决单元判决物联网终端的身份非法时,向告警单元下发告警指令,告警单元向后端发出告警信息。Furthermore, the device also includes an alarm unit. When the identity determination unit determines that the identity of the Internet of Things terminal is illegal, an alarm instruction is sent to the alarm unit, and the alarm unit sends an alarm message to the back end.
进一步的,所述显性终端特征包括终端身份ID、MAC、IP及端口号。Furthermore, the explicit terminal features include terminal identity ID, MAC, IP and port number.
进一步的,所述隐性终端特征包括时域、频域、频谱、通信速率、通信协议类型和信息上报频度。Furthermore, the hidden terminal characteristics include time domain, frequency domain, spectrum, communication rate, communication protocol type and information reporting frequency.
另一方面,本发明还提供了一种显性加隐性的物联网终端设备特征识别方法,所述方法基于前述任一种特征识别装置实现,所述方法包括:On the other hand, the present invention also provides an explicit plus implicit feature recognition method for an IoT terminal device, the method being implemented based on any of the aforementioned feature recognition devices, the method comprising:
当物联网终端向物联网应用服务器上报采集到的数据时,经由传输网络首先发到物联网安全网关进行身份鉴别,物联网安全网关的数据预处理单元对收到的信息进行接收并分类处理;When the IoT terminal reports the collected data to the IoT application server, it is first sent to the IoT security gateway via the transmission network for identity authentication. The data pre-processing unit of the IoT security gateway receives and classifies the received information;
数据预处理单元将上报的传感信息净荷转发至身份判决单元、提取数据来源的显性终端特征并传输至特征匹配单元进行识别,以及将用于本次传输的物理信号和网络传输信息转发给特征提取单元;The data preprocessing unit forwards the reported sensor information payload to the identity determination unit, extracts the explicit terminal features of the data source and transmits them to the feature matching unit for identification, and forwards the physical signal and network transmission information used for this transmission to the feature extraction unit;
特征提取单元从所述物理信号和网络传输信息中提取隐性终端特征,提供给特征匹配单元进行识别;The feature extraction unit extracts hidden terminal features from the physical signal and network transmission information, and provides the features to the feature matching unit for identification;
特征匹配单元将获取到的终端特征与特征库里存储的终端特征进行比对,记录每项特征的比对结果,并将比对结果发送到身份判决单元;The feature matching unit compares the acquired terminal features with the terminal features stored in the feature library, records the comparison results of each feature, and sends the comparison results to the identity determination unit;
身份判决单元根据所述比对结果以及配置的安全策略对物联网终端的身份合法性进行判决,判决合法则将终端鉴别结果反馈特征提取单元并将所述传感信息净荷转发给数据上报单元,否则将终端鉴别结果反馈特征提取单元并丢弃所述传感信息净荷。The identity determination unit determines the legitimacy of the identity of the IoT terminal according to the comparison result and the configured security policy. If the determination is legal, the terminal identification result is fed back to the feature extraction unit and the sensor information payload is forwarded to the data reporting unit. Otherwise, the terminal identification result is fed back to the feature extraction unit and the sensor information payload is discarded.
进一步的,所述特征提取单元从物理信号中提取的隐性终端特征包括时域、频域、频谱和通信速率,从网络传输信息中提取的隐性终端特征包括通信协议类型和信息上报频度。Furthermore, the hidden terminal features extracted by the feature extraction unit from the physical signal include time domain, frequency domain, spectrum and communication rate, and the hidden terminal features extracted from the network transmission information include communication protocol type and information reporting frequency.
进一步的,所述方法还包括:Furthermore, the method further comprises:
当身份判决单元判决物联网终端的身份非法时,丢弃待上报的数据,特征提取单元丢弃本次提取的隐性终端特征。When the identity determination unit determines that the identity of the IoT terminal is illegal, the data to be reported is discarded, and the feature extraction unit discards the implicit terminal features extracted this time.
进一步的,所述方法还包括:Furthermore, the method further comprises:
当身份判决单元判决物联网终端的身份合法时,将本次提取的隐性特征作为所述物联网终端的特征样本进行学习,并更新终端特征库。When the identity determination unit determines that the identity of the Internet of Things terminal is legal, the implicit features extracted this time are used as feature samples of the Internet of Things terminal for learning, and the terminal feature library is updated.
进一步的,所述方法还包括:Furthermore, the method further comprises:
在进行特征识别前,将已知的全部合法物联网终端基本信息作为显性终端特征提供给所述特征识别装置,所述特征识别装置将所述显性终端特征存入终端特征库中。Before performing feature recognition, all known basic information of legal Internet of Things terminals is provided to the feature recognition device as explicit terminal features, and the feature recognition device stores the explicit terminal features in a terminal feature library.
进一步的,所述方法还包括:Furthermore, the method further comprises:
在进行特征识别前,将安全策略配置并下发给所述特征识别装置,所述特征识别装置将所述安全策略存入策略库中。Before performing feature recognition, the security policy is configured and sent to the feature recognition device, and the feature recognition device stores the security policy in a policy library.
本发明的有益效果在于:The beneficial effects of the present invention are:
本发明提出了一种显性加隐性的物联网终端设备特征识别方法和装置,能够为物联网终端,特别是传感器类哑终端提供身份鉴别功能,大幅提高假冒传感器终端的甄别能力,以满足关键行业对物联网应用的安全需求。The present invention proposes an explicit and implicit feature recognition method and device for IoT terminal equipment, which can provide identity authentication function for IoT terminals, especially sensor-type dumb terminals, and greatly improve the ability to identify counterfeit sensor terminals, so as to meet the security requirements of key industries for IoT applications.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本发明实施例显性加隐性物联网终端设备特征识别装置结构框图;FIG1 is a structural block diagram of an explicit and implicit IoT terminal device feature recognition device according to an embodiment of the present invention;
图2是本发明实施例显性加隐性物联网终端设备特征识别方法流程框图。FIG. 2 is a flowchart of a method for identifying characteristics of an explicit and implicit IoT terminal device according to an embodiment of the present invention.
具体实施方式Detailed ways
以下通过特定的具体实例说明本发明的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本发明的其他优点与功效。本发明还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本发明的精神下进行各种修饰或改变。需说明的是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。The following describes the embodiments of the present invention by specific examples, and those skilled in the art can easily understand other advantages and effects of the present invention from the contents disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and the details in this specification can also be modified or changed in various ways based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that the following embodiments and features in the embodiments can be combined with each other without conflict.
基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making any creative work shall fall within the scope of protection of the present invention.
传统的物联网终端身份鉴别方法各有优缺点,主要体现在:Traditional IoT terminal identity authentication methods have their own advantages and disadvantages, which are mainly reflected in:
(1)存在被假冒的可能性,攻击者只需要获取到合法物联网终端的相关信息就可以模仿合法终端接入到网络中,并顺利通过身份鉴别;(1) There is a possibility of being impersonated. An attacker only needs to obtain relevant information of a legitimate IoT terminal to imitate the legitimate terminal to access the network and successfully pass identity authentication;
(2)需要对物联网终端进行定制改造,增加终端功耗和成本,应用于小批量或特定物联网设备管理中是可行的,但不适用于目前市面上大量的传感器类哑终端。(2) The IoT terminal needs to be customized and modified, which increases the terminal power consumption and cost. It is feasible to apply it to the management of small batches or specific IoT devices, but it is not suitable for the large number of sensor-type dumb terminals currently on the market.
为了解决上述技术问题,提出了本发明一种显性加隐性的物联网终端设备特征识别装置和方法的下述各个实施例。In order to solve the above technical problems, the following embodiments of an explicit plus implicit IoT terminal device feature recognition device and method of the present invention are proposed.
实施例1Example 1
参照图1,如图1所示是本实施例显性加隐性物联网终端设备特征识别装置结构框图,该装置主要包括数据预处理单元、特征提取单元、特征匹配单元、身份判决单元、数据上报单元、告警单元、终端特征库及策略库等部分。Referring to Figure 1, as shown in Figure 1, it is a structural block diagram of the explicit and implicit IoT terminal device feature recognition device of this embodiment, and the device mainly includes a data preprocessing unit, a feature extraction unit, a feature matching unit, an identity determination unit, a data reporting unit, an alarm unit, a terminal feature library and a policy library.
具体地,数据预处理单元接收从网络上收到的来自物联网终端的数据,将上报的传感信息净荷转发至身份判决单元,提取数据来源的终端身份ID、MAC、IP及端口号等显性终端特征信息交给特征匹配单元进行识别,同时将用于本次传输的物理信号、网络传输信息等转发给特征提取单元。Specifically, the data preprocessing unit receives data from the IoT terminal on the network, forwards the reported sensor information payload to the identity judgment unit, extracts explicit terminal feature information such as the terminal identity ID, MAC, IP and port number of the data source and submits it to the feature matching unit for identification, and at the same time forwards the physical signal and network transmission information used for this transmission to the feature extraction unit.
特征提取单元从物理信号、网络传输信息中提取包括时域、频域、频谱、通信速率、通信协议、信息上报频度等终端隐性特征,通过学习积累形成该物联网终端的隐性特征并登记入特征库。The feature extraction unit extracts terminal implicit features including time domain, frequency domain, spectrum, communication rate, communication protocol, information reporting frequency, etc. from physical signals and network transmission information. Through learning and accumulation, the implicit features of the IoT terminal are formed and registered in the feature library.
特征匹配单元根据本次上报信息的物联网终端特征,与终端特征库中存储的信息进行比对,并将比对结果通知身份判决单元。The feature matching unit compares the IoT terminal features of the reported information with the information stored in the terminal feature library, and notifies the identity determination unit of the comparison result.
身份判决单元根据特征匹配结果以及配置的安全策略对物联网终端的身份合法性进行判决,并根据判决结果进行相应处理。The identity decision unit determines the legitimacy of the identity of the IoT terminal based on the feature matching results and the configured security policy, and performs corresponding processing based on the judgment results.
数据上报单元转发合法终端上报的传感数据到后端的物联网应用服务器。The data reporting unit forwards the sensor data reported by the legitimate terminal to the back-end IoT application server.
告警单元向后端管理系统上报非法终端接入消息。The alarm unit reports the illegal terminal access message to the back-end management system.
终端特征库用于存储物联网终端设备特征。The terminal feature library is used to store the characteristics of IoT terminal devices.
策略库用于保存后端管理系统下发的安全策略。The policy library is used to store security policies issued by the backend management system.
该装置的具体工作原理如下:The specific working principle of the device is as follows:
S1、管理系统将系统管理的全部合法物联网终端基本信息,如终端ID、MAC、IP地址、端口号等,作为显性终端特征提供给物联网安全网关,物联网安全网关将其存入终端特征库中;S1. The management system provides the basic information of all legal IoT terminals managed by the system, such as terminal ID, MAC, IP address, port number, etc., as explicit terminal features to the IoT security gateway, which stores them in the terminal feature library.
S2、管理系统将安全策略配置并下发给物联网安全网关,物联网安全网关将其存入策略库中;S2. The management system configures the security policy and sends it to the IoT security gateway, which stores it in the policy library.
S3、当物联网终端向物联网应用服务器上报采集到的数据时,经由传输网络首先发到物联网安全网关进行身份鉴别,物联网安全网关的数据预处理单元对收到的信息进行接收并分类处理;S3. When the IoT terminal reports the collected data to the IoT application server, it is first sent to the IoT security gateway via the transmission network for identity authentication. The data preprocessing unit of the IoT security gateway receives and classifies the received information;
S4-1、数据预处理单元提取物联网终端本次上报的消息净荷,转发至身份判决单元;S4-1, the data pre-processing unit extracts the message payload reported by the IoT terminal this time, and forwards it to the identity determination unit;
S4-2、数据预处理单元解析出物联网终端的基本信息,并将其作为显性终端特征提供给特征匹配单元进行识别;S4-2, the data preprocessing unit parses the basic information of the IoT terminal and provides it as an explicit terminal feature to the feature matching unit for identification;
S4-3、数据预处理单元将本次信息传输的物理信号、网络传输信息进行预处理后提供给特征提取单元进行后续处理;S4-3, the data preprocessing unit preprocesses the physical signal and network transmission information of this information transmission and provides them to the feature extraction unit for subsequent processing;
S5、特征提取单元从物理信号中提取时域、频域、频谱、通信速率等隐性特征,从网络传输信息中提取通信协议类型、信息上报频度等隐性特征,提供给特征匹配单元进行识别;S5. The feature extraction unit extracts implicit features such as time domain, frequency domain, spectrum, and communication rate from the physical signal, and extracts implicit features such as communication protocol type and information reporting frequency from the network transmission information, and provides them to the feature matching unit for identification;
S6、特征匹配单元将获取到的终端特征与特征库里存储的终端特征进行比对,记录每项特征的比对结果,并将比对结果发送到身份判决单元;S6. The feature matching unit compares the acquired terminal feature with the terminal feature stored in the feature library, records the comparison result of each feature, and sends the comparison result to the identity determination unit;
S7、身份判决单元根据特征匹配结果以及配置的安全策略对物联网终端的身份合法性进行判决,并根据判决结果进行相应处理;S7, the identity judgment unit judges the legitimacy of the identity of the IoT terminal according to the feature matching result and the configured security policy, and performs corresponding processing according to the judgment result;
S8-1-1、身份判决单元判断该物联网终端是合法终端时,将终端鉴别结果反馈特征提取单元,转发本次上报消息净荷给数据上报单元;S8-1-1. When the identity determination unit determines that the IoT terminal is a legitimate terminal, it feeds back the terminal identification result to the feature extraction unit and forwards the payload of this report message to the data reporting unit;
S8-1-2、特征提取单元将本次提取的隐性特征作为该终端的特征样本进行学习,并更新终端特征库,隐性终端特征不断学习变得更为精准;S8-1-2, the feature extraction unit uses the implicit features extracted this time as feature samples of the terminal for learning, and updates the terminal feature library, and the implicit terminal features are continuously learned and become more accurate;
S8-1-3、数据上报单元将上报的消息重新封装打包后发送给物联网应用服务器;S8-1-3, the data reporting unit repackages the reported message and sends it to the Internet of Things application server;
S8-2-1、身份判决单元判断该物联网终端是非法或假冒终端时,将终端鉴别结果反馈特征提取单元,丢弃缓存的上报数据,并提示需要告警;S8-2-1. When the identity determination unit determines that the IoT terminal is an illegal or counterfeit terminal, it feeds back the terminal identification result to the feature extraction unit, discards the cached reporting data, and prompts that an alarm is required;
S8-2-2、特征提取单元丢弃本次提取的隐性特征;S8-2-2, the feature extraction unit discards the implicit features extracted this time;
S8-2-3、告警单元将告警信息上报管理系统。S8-2-3. The alarm unit reports the alarm information to the management system.
本实施例提出了一种显性加隐性的物联网终端设备特征识别装置,能够为物联网终端,特别是传感器类哑终端提供身份鉴别功能,大幅提高假冒传感器终端的甄别能力,以满足关键行业对物联网应用的安全需求。This embodiment proposes an explicit and implicit IoT terminal device feature recognition device, which can provide identity authentication function for IoT terminals, especially sensor-type dumb terminals, and greatly improve the ability to identify counterfeit sensor terminals to meet the security requirements of key industries for IoT applications.
实施例2Example 2
本实施例基于前述实施例提出的显性加隐性的物联网终端设备特征识别装置的工作原理,提供了一种显性加隐性的物联网终端设备特征识别方法的具体应用实例,参照图2,如图2所示是本实施例显性加隐性物联网终端设备特征识别方法流程框图。相关功能实体包括物联网终端、NB-IoT网络、物联网安全网关、物联网应用服务器、管理系统。Based on the working principle of the explicit plus implicit IoT terminal device feature recognition device proposed in the previous embodiment, this embodiment provides a specific application example of an explicit plus implicit IoT terminal device feature recognition method, with reference to FIG2 , which is a flowchart of the explicit plus implicit IoT terminal device feature recognition method of this embodiment. The relevant functional entities include IoT terminals, NB-IoT networks, IoT security gateways, IoT application servers, and management systems.
该方法具体步骤包括:The specific steps of the method include:
1、管理系统将合法物联网终端的显性特征以及安全策略下发给物联网安全网关;1. The management system sends the explicit features and security policies of the legal IoT terminals to the IoT security gateway;
2、物联网安全网关将显性终端特征存入终端特征库,将安全策略存入策略库;2. The IoT security gateway stores explicit terminal features in the terminal feature library and security policies in the policy library;
3、物联网终端通过NB-IoT网络将传感信息发送到物联网安全网关;3. The IoT terminal sends the sensor information to the IoT security gateway through the NB-IoT network;
4、物联网安全网关接收到上报信息后,对信息进行预处理,从中获取消息净荷、显性终端特征等;4. After receiving the reported information, the IoT security gateway pre-processes the information to obtain the message payload, explicit terminal features, etc.;
5、物联网安全网关从网络传输信息中提取物联网终端隐性特征;5. The IoT security gateway extracts the hidden features of IoT terminals from network transmission information;
6、物联网安全网关将获取的终端特征(含显性特征及隐性特征)与特征库中的信息进行比对,得出比对结果;6. The IoT security gateway compares the acquired terminal features (including explicit features and implicit features) with the information in the feature library to obtain the comparison results;
需要说明的是,合法终端的显性特征在特征库中是必定包含的,而隐性特征则是在首次投入使用后通过学习更新的,当特征库中没有对应的隐性特征时(即该终端首次投入使用时),该步骤仅识别显性特征。由于该终端没有投入过使用,攻击者难以知道其为合法终端从而对其进行模仿,因此首次识别时可以仅通过显性特征进行判决。It should be noted that the explicit features of a legitimate terminal must be included in the feature library, while the implicit features are updated through learning after the terminal is put into use for the first time. When there is no corresponding implicit feature in the feature library (that is, when the terminal is put into use for the first time), this step only identifies the explicit features. Since the terminal has not been put into use, it is difficult for an attacker to know that it is a legitimate terminal and imitate it. Therefore, the first identification can be judged only by the explicit features.
作为一种实施方式,还可以在确认合法的终端首次投入系统使用前,在其受控状态下就利用本装置将其隐性特征采集到并存入特征库中。As an implementation method, before a legal terminal is put into use in the system for the first time, its latent features can be collected and stored in a feature library using the device in a controlled state.
此外,还可以根据终端使用环境和终端的安全级别调整策略。由于隐性特征不是一个具体的数值,是通过模型去计算吻合度,当终端安全等级低时,可以降低隐性特征的匹配度数值,而终端安全等级高而且使用环境不受控时可以调整策略,要求吻合度较高或完全匹配。In addition, the policy can be adjusted according to the terminal usage environment and the terminal security level. Since the implicit feature is not a specific value, but the matching degree is calculated through the model, when the terminal security level is low, the matching degree value of the implicit feature can be reduced, and when the terminal security level is high and the usage environment is uncontrolled, the policy can be adjusted to require a higher matching degree or a complete match.
7、物联网安全网关根据特征匹配结果以及配置的安全策略对物联网终端的身份合法性进行判决;7. The IoT security gateway determines the legitimacy of the IoT terminal’s identity based on the feature matching results and the configured security policy;
8-1、若终端合法,本次获取的终端隐性特征作为学习样本并登记入终端特征库,同时将终端上报的数据转发给物联网应用服务器;8-1. If the terminal is legal, the terminal implicit features obtained this time are used as learning samples and registered in the terminal feature library, and the data reported by the terminal is forwarded to the IoT application server;
8-2、若终端不合法,隐性特征不作为学习样本,丢弃上报数据,上报告警信息给管理系统。8-2. If the terminal is illegal, the implicit features will not be used as learning samples, the reported data will be discarded, and the alarm information will be reported to the management system.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410594869.7ACN118174968B (en) | 2024-05-14 | 2024-05-14 | An explicit and implicit feature recognition device and method for an Internet of Things terminal device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410594869.7ACN118174968B (en) | 2024-05-14 | 2024-05-14 | An explicit and implicit feature recognition device and method for an Internet of Things terminal device |
| Publication Number | Publication Date |
|---|---|
| CN118174968Atrue CN118174968A (en) | 2024-06-11 |
| CN118174968B CN118174968B (en) | 2024-07-16 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410594869.7AActiveCN118174968B (en) | 2024-05-14 | 2024-05-14 | An explicit and implicit feature recognition device and method for an Internet of Things terminal device |
| Country | Link |
|---|---|
| CN (1) | CN118174968B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119696936A (en)* | 2025-02-25 | 2025-03-25 | 全讯汇聚网络科技(北京)有限公司 | Gateway security protection system and method based on Internet of Things technology |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713301A (en)* | 2016-12-16 | 2017-05-24 | 四川长虹电器股份有限公司 | Internet of Things security defense system for intelligent terminal |
| CN109922160A (en)* | 2019-03-28 | 2019-06-21 | 全球能源互联网研究院有限公司 | A kind of terminal security cut-in method, apparatus and system based on electric power Internet of Things |
| CN110958262A (en)* | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of Things security protection gateway system, method and deployment architecture for power industry |
| CN113382076A (en)* | 2021-06-15 | 2021-09-10 | 中国信息通信研究院 | Internet of things terminal security threat analysis method and protection method |
| CN114978776A (en)* | 2022-07-29 | 2022-08-30 | 中诚华隆计算机技术有限公司 | Credible data interaction method and device for power internet of things terminal and electronic equipment |
| CN117202193A (en)* | 2023-11-08 | 2023-12-08 | 中国电子科技集团公司第三十研究所 | Communication module safety protection method and assembly based on host terminal connection authentication |
| US20240080363A1 (en)* | 2022-09-03 | 2024-03-07 | TieJun Wang | IOT System |
| CN117938413A (en)* | 2023-01-16 | 2024-04-26 | 杭州安恒信息技术股份有限公司 | Equipment network access control method, device, equipment and medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713301A (en)* | 2016-12-16 | 2017-05-24 | 四川长虹电器股份有限公司 | Internet of Things security defense system for intelligent terminal |
| CN109922160A (en)* | 2019-03-28 | 2019-06-21 | 全球能源互联网研究院有限公司 | A kind of terminal security cut-in method, apparatus and system based on electric power Internet of Things |
| CN110958262A (en)* | 2019-12-15 | 2020-04-03 | 国网山东省电力公司电力科学研究院 | Ubiquitous Internet of Things security protection gateway system, method and deployment architecture for power industry |
| CN113382076A (en)* | 2021-06-15 | 2021-09-10 | 中国信息通信研究院 | Internet of things terminal security threat analysis method and protection method |
| CN114978776A (en)* | 2022-07-29 | 2022-08-30 | 中诚华隆计算机技术有限公司 | Credible data interaction method and device for power internet of things terminal and electronic equipment |
| US20240080363A1 (en)* | 2022-09-03 | 2024-03-07 | TieJun Wang | IOT System |
| CN117938413A (en)* | 2023-01-16 | 2024-04-26 | 杭州安恒信息技术股份有限公司 | Equipment network access control method, device, equipment and medium |
| CN117202193A (en)* | 2023-11-08 | 2023-12-08 | 中国电子科技集团公司第三十研究所 | Communication module safety protection method and assembly based on host terminal connection authentication |
| Title |
|---|
| 何晓明;刘志华;: "IP网络承载物联网业务能力研究", 中兴通讯技术, no. 03, 10 June 2011 (2011-06-10), pages 49 - 53* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119696936A (en)* | 2025-02-25 | 2025-03-25 | 全讯汇聚网络科技(北京)有限公司 | Gateway security protection system and method based on Internet of Things technology |
| Publication number | Publication date |
|---|---|
| CN118174968B (en) | 2024-07-16 |
| Publication | Publication Date | Title |
|---|---|---|
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| CN115189927A (en) | A zero-trust-based power network security protection method | |
| CN101345743B (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN1968272B (en) | Method used for remitting denial of service attack in communication network and system | |
| CN102571547B (en) | Method and device for controlling hyper text transport protocol (HTTP) traffic | |
| US9490986B2 (en) | Authenticating a node in a communication network | |
| JP2002508121A (en) | Method and apparatus for a communication system | |
| CN112469044B (en) | An edge access management and control method and controller for heterogeneous terminals | |
| US11258753B2 (en) | Method for detection of DNS spoofing servers using machine-learning techniques | |
| CN118174968B (en) | An explicit and implicit feature recognition device and method for an Internet of Things terminal device | |
| US20210092610A1 (en) | Method for detecting access point characteristics using machine learning | |
| CN114928452A (en) | Access request verification method, device, storage medium and server | |
| Fei et al. | The abnormal detection for network traffic of power iot based on device portrait | |
| CN110381509A (en) | A kind of joint qualification method and server suitable for Dynamic link library scene | |
| CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
| RU2690749C1 (en) | Method of protecting computer networks | |
| CN116260656A (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| CN115811401B (en) | A supervision method, device and system | |
| CN115567942A (en) | 5G network endogenous security protection method, device, network element and storage medium | |
| CN113242249B (en) | Session control method and device | |
| Salim et al. | A precise model to secure systems on Ethernet against man-in-the-middle attack | |
| RU2686023C1 (en) | Method of protecting computer networks | |
| CN111147523A (en) | Comprehensive application protocol identification method based on service camouflage detection technology | |
| CN115766143B (en) | DNS security protection method, device and server equipment | |
| CN117544424B (en) | Multi-protocol intelligent park management and control platform based on ubiquitous connection |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |