CN118944981B - Internet of things equipment safety protection method, equipment and system based on behavior baseline - Google Patents
Internet of things equipment safety protection method, equipment and system based on behavior baseline Download PDFInfo
- Publication number
- CN118944981B CN118944981B CN202411412766.0A CN202411412766A CN118944981B CN 118944981 B CN118944981 B CN 118944981B CN 202411412766 A CN202411412766 A CN 202411412766A CN 118944981 B CN118944981 B CN 118944981B
- Authority
- CN
- China
- Prior art keywords
- target
- executable file
- behavior
- internet
- executable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 166
- 230000006399 behavior Effects 0.000 claims abstract description 203
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 31
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 230000000903 blocking effect Effects 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims description 131
- 238000010276 construction Methods 0.000 claims description 84
- 238000005538 encapsulation Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004806 packaging method and process Methods 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 8
- 230000003542 behavioural effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
本申请提供一种基于行为基线的物联网设备安全防护方法、设备及系统,该方法包括:在所述物联网设备运行过程中,对目标行为进行监测;其中,所述目标行为包括与可执行文件的执行相关的行为;在监测到目标行为的情况下,确定该目标行为关联的目标可执行文件,并利用预设算法,确定所述目标可执行文件的唯一性校验值;对所述目标可执行文件的唯一性校验值与所述物联网设备的设备固件中存储的可执行文件的唯一性校验值进行匹配;在匹配成功的情况下,允许所述目标行为发生;在匹配失败的情况下,对所述目标行为进行阻断。该方法可以在提高物联网设备安全性的情况下,减少资源消耗,并减少误报发生。
The present application provides a method, device and system for protecting the security of IoT devices based on behavioral baselines, the method comprising: monitoring target behaviors during the operation of the IoT device; wherein the target behaviors include behaviors related to the execution of executable files; when the target behaviors are monitored, determining the target executable files associated with the target behaviors, and using a preset algorithm to determine the uniqueness check value of the target executable files; matching the uniqueness check value of the target executable files with the uniqueness check value of the executable files stored in the device firmware of the IoT device; when the match is successful, allowing the target behaviors to occur; when the match fails, blocking the target behaviors. This method can reduce resource consumption and reduce the occurrence of false positives while improving the security of IoT devices.
Description
Technical Field
The application relates to the field of Internet of things safety, in particular to an Internet of things equipment safety protection method, equipment and system based on a behavior baseline.
Background
Detection of device abnormal behavior typically involves obtaining a baseline of behavior or using rule matching (e.g., antivirus engine/rules engine/machine learning model) of related events. The rule matching mode needs to update the rules or the engines in real time to ensure the effectiveness, the engines or the machine learning models are difficult to run under the weak processing performance and storage space of the Internet of things equipment, the service end is usually required to be connected, the analysis is carried out by means of the processing capability of the service end, and the deployment cost is extremely high under the condition of large quantity of complex networks and equipment.
At present, the establishment of a behavior baseline is mainly realized by a mode of acquiring a baseline behavior, namely, the equipment is controlled to run for a certain time in a normal environment, and the behavior generated in the running process of the equipment is monitored and acquired, so that the acquired behavior generated in the running process of the equipment is used as the baseline behavior, and the behavior baseline is established.
However, in the process of constructing the behavior base line, there may be a problem that the base line is not obtained fully, for example, some services do not occur during the running process of the device, and corresponding behaviors do not exist correspondingly, and further, false alarms may be generated during the process of performing safety protection based on the constructed behavior base line.
Disclosure of Invention
In view of the above, the application provides a method, a device and a system for protecting the safety of Internet of things equipment based on a behavior baseline.
Specifically, the application is realized by the following technical scheme:
According to a first aspect of an embodiment of the present application, there is provided a method for protecting safety of an internet of things device based on a behavior baseline, which is applied to the internet of things device, the method including:
Monitoring target behaviors in the running process of the Internet of things equipment, wherein the target behaviors comprise behaviors related to execution of executable files;
Under the condition that the target behavior is monitored, determining a target executable file associated with the target behavior, and determining a uniqueness check value of the target executable file by utilizing a preset algorithm;
The method comprises the steps of matching the unique check value of the target executable file with the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment, wherein the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment comprises the unique check value of each executable file in all executable files generated in the equipment firmware construction process;
allowing the target behavior to occur if the matching is successful;
And blocking the target behavior in case of failure of matching.
According to a second aspect of an embodiment of the present application, there is provided an internet of things device security protection apparatus based on a behavior baseline, deployed on an internet of things device, the apparatus comprising:
The monitoring unit is used for monitoring target behaviors in the running process of the Internet of things equipment, wherein the target behaviors comprise behaviors related to the execution of executable files;
the determining unit is used for determining a target executable file associated with the target behavior under the condition that the target behavior is monitored, and determining a uniqueness check value of the target executable file by utilizing a preset algorithm;
The device comprises a matching unit, a matching unit and a processing unit, wherein the matching unit is used for matching the unique check value of the target executable file with the unique check value of the executable file stored in the device firmware of the Internet of things device, wherein the unique check value of the executable file stored in the device firmware of the Internet of things device comprises the unique check value of each executable file in all executable files generated in the device firmware construction process;
and the protection unit is used for allowing the target behavior to occur under the condition that the matching is successful, and blocking the target behavior under the condition that the matching is failed.
According to a third aspect of embodiments of the present application, there is provided an electronic device, wherein,
A memory for storing a computer program;
and a processor configured to implement the method provided in the first aspect when executing the program stored in the memory.
According to a fourth aspect of embodiments of the present application, there is provided a computer program product having a computer program stored therein, which when executed by a processor implements the method provided by the first aspect.
According to a fifth aspect of embodiments of the present application, there is provided a computer program product having a computer program stored therein, which when executed by a processor implements the method provided by the first aspect.
According to a sixth aspect of the embodiment of the application, an Internet of things equipment safety protection system based on a behavior baseline is provided, which comprises a continuous integrated system and Internet of things equipment, wherein:
the continuous integrated system is used for acquiring all the generated executable files in the construction process of the equipment firmware, determining the unique check value of each executable file by utilizing a preset algorithm, and storing the unique check value of each executable file in the equipment firmware;
the internet of things device is used for monitoring target behaviors in a device running process, wherein the target behaviors comprise behaviors related to execution of executable files, the target executable files related to the target behaviors are determined under the condition that the target behaviors are monitored, the unique check values of the target executable files are determined by means of a preset algorithm, the unique check values of the target executable files are matched with the unique check values of the executable files stored in device firmware of the internet of things device, the unique check values of the executable files stored in the device firmware of the internet of things device comprise the unique check values of all executable files generated in a device firmware building process, the unique check values of the executable files are determined by means of the preset algorithm, under the condition that matching is successful, the target behaviors are allowed to occur, and under the condition that matching is failed, the target behaviors are blocked.
According to the Internet of things equipment safety protection method based on the behavior baseline, in the running process of the Internet of things equipment, the target behavior is monitored, the target executable files related to the target behavior are determined under the condition that the target behavior is monitored, the unique check values of the target executable files are determined by using a preset algorithm, further, the unique check values of the target executable files can be matched with the unique check values of the executable files stored in equipment firmware of the Internet of things equipment, under the condition that the matching is successful, the target behavior is allowed to occur, under the condition that the matching is failed, the target behavior is blocked, the unique check values of all executable files generated in the equipment firmware construction process are determined and stored, the unique check values of all executable files generated in the equipment firmware construction process are used as the behavior baseline, the target executable files related to the monitored target executable files are checked, the overall error performance of the system baseline is improved according to the generated in the equipment firmware construction process, in addition, the error performance of the related executable files can be effectively reduced, and the malicious program is prevented from being consumed in the related equipment under the condition that the related executable files are less in the Internet of things equipment, and the malicious programs are generally executed in the Internet of things equipment.
Drawings
Fig. 1 is a schematic flow chart of an internet of things device security protection method based on a behavior baseline according to an exemplary embodiment of the present application;
FIG. 2 is a schematic diagram of the build behavior of a sub-assembly according to an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a device firmware build flow according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a process flow of building a device firmware to add security components according to an exemplary embodiment of the present application;
Fig. 5 is a schematic structural diagram of an internet of things device security protection apparatus based on a behavior baseline according to an exemplary embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
In order to better understand the technical solution provided by the embodiments of the present application and make the above objects, features and advantages of the embodiments of the present application more obvious, the technical solution in the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a flow chart of an internet of things device security protection method based on a behavior baseline provided by an embodiment of the present application is provided, where the internet of things device security protection method based on a behavior baseline may be applied to an internet of things device, as shown in fig. 1, and the internet of things device security protection method based on a behavior baseline may include the following steps:
And step 100, monitoring target behaviors in the running process of the Internet of things equipment, wherein the target behaviors comprise behaviors related to execution of the executable file.
In the embodiment of the application, in order to prevent a malicious program from being executed in the internet of things device, a specific behavior (which may be referred to as a target behavior) related to the execution of an executable file in the internet of things device may be monitored.
For example, for the internet of things device, the executable file needs to set executable rights in the internet of things device, and for the executable file with executable rights, the executable file needs to be executed by starting a process.
Accordingly, actions related to execution of the executable file may include, but are not limited to, some or all of the file rights modification action (INOTIFY) and the process initiation action (NETLINK), among others.
Step S110, under the condition that the target behavior is monitored, determining a target executable file associated with the target behavior, and determining a uniqueness check value of the target executable file by using a preset algorithm.
Step S120, the uniqueness check value of the target executable file is matched with the uniqueness check value of the executable file stored in the equipment firmware of the Internet of things equipment, wherein the uniqueness check value of the executable file stored in the equipment firmware of the Internet of things equipment comprises the uniqueness check value of each executable file in all executable files generated in the equipment firmware construction process, and the uniqueness check value of the executable file is determined by a preset algorithm.
In the embodiment of the application, in order to prevent malicious programs from being executed in the internet of things equipment, the unique check value of each executable file in all executable files generated in the equipment firmware construction process can be predetermined and stored, and the unique check value can be used for carrying out validity check on the executable files possibly executed in the operation process of the internet of things equipment.
Illustratively, the executable file's unique check value may be used to uniquely identify an executable file, which may include, but is not limited to, a hash value, a content fingerprint, or a digital signature value, among others.
In one example, given that resources of an internet of things device are typically relatively limited, the uniqueness check value of the executable file may choose to calculate a hash value that requires relatively low resources.
Accordingly, in the case that the target behavior is monitored, an executable file (which may be referred to as a target executable file) associated with the target behavior may be determined, and a unique check value of the target executable file is determined using a preset algorithm.
Under the condition that the unique check value of the target executable file is determined, the unique check value of the target executable file can be matched with the unique check value of the executable file stored in the device firmware of the internet of things device.
The unique check value of the target executable file can be compared with the unique check value of each executable file stored in the device firmware of the internet of things device, and whether the unique check value (which can be called as the target unique check value) which is the same as the unique check value of the target executable file exists in the unique check value of each executable file stored in the device firmware of the internet of things device or not is determined.
And under the condition that the target unique check value exists in the unique check values of the executable files stored in the equipment firmware of the Internet of things equipment, the successful matching can be determined. In this case, the target executable file may be determined to be a legal executable file, such as an executable file of the system itself.
And under the condition that the target unique check value does not exist in the unique check values of the executable files stored in the equipment firmware of the Internet of things equipment, determining that the matching fails. In this case, the target executable file may be determined to be an illegitimate executable file, such as an executable file of a malicious program.
Step S130, allowing the target behavior to occur under the condition that the matching is successful.
In the embodiment of the application, when the unique check value of the target executable file is successfully matched with the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment, namely, the unique check value of each executable file stored in the equipment firmware of the Internet of things equipment has the target unique check value, the target behavior can be allowed to occur, namely, the target behavior is normally responded.
And step 140, blocking the target behavior under the condition of failure of matching.
In the embodiment of the application, when the unique check value of the target executable file fails to match the unique check value of the executable file stored in the device firmware of the internet of things device, that is, the unique check value of each executable file stored in the device firmware of the internet of things device does not exist, the target behavior can be blocked, that is, the progress of the target behavior is prevented, and the response to the target behavior is refused.
It can be seen that in the method flow shown in fig. 1, in the running process of the internet of things device, the target behavior is monitored, the target executable file associated with the target behavior is determined under the condition that the target behavior is monitored, and the unique check value of the target executable file is determined by using a preset algorithm, so that the unique check value of the target executable file can be matched with the unique check value of the executable file stored in the device firmware of the internet of things device, the target behavior is allowed to occur under the condition that the matching is successful, the target behavior is blocked under the condition that the matching is failed, the unique check value of each executable file in all executable files generated in the device firmware construction process is determined and stored, the unique check value of all executable files generated in the device firmware construction process is used as a behavior base line, the target executable file associated with the monitored target executable file is checked, the overall performance of the base line is improved by constructing the executable file according to all executable files generated in the device firmware construction process, false alarm occurrence can be effectively reduced, and in addition, the condition that the target executable file related to the execution of the executable file is less frequently consumed in the internet of things device and the program is prevented from being malicious in the internet of things device, and the malicious program is prevented from being executed in the device.
In some embodiments, the target behavior includes a file permission change behavior for the executable file;
The monitoring of the target behavior may include:
Monitoring file authority changing behaviors;
Under the condition that the file permission changing behavior is monitored, determining whether the file aimed at by the file permission changing behavior is an executable file or not;
and determining to monitor the target behavior under the condition that the file aimed at by the file permission changing behavior is an executable file, wherein the target executable file is the file aimed at by the file permission changing behavior.
Taking as an example that the target behavior comprises a file permission change behavior for the executable file.
For example, in the running process of the internet of things device, the file permission changing behavior can be monitored. Under the condition that the file permission changing behavior is monitored, a file aimed at by the file permission changing behavior can be obtained, and whether the file is an executable file or not is determined.
In the case where the file is an executable file, the file permission change behavior may be determined to be a target behavior.
It should be noted that, in the embodiment of the present application, when the file permission changing behavior is monitored, but the file for which the permission changing behavior is specific is not an executable file, special processing of the permission changing behavior is not required, that is, normal running of the permission changing behavior is not disturbed.
In one example, blocking the target behavior may include:
And refusing to carry out authority change on the target executable file, and deleting the target executable file.
For example, when a file permission modification behavior for an executable file is detected, and a uniqueness check value of a target executable file (the executable file for which the file permission modification behavior is intended) fails to match a uniqueness check value of an executable file stored in device firmware of the internet of things device, it may be determined that the target executable file is an executable file corresponding to a malicious program, and in order to avoid an influence of execution of the executable file on security of the internet of things device, permission modification of the target executable file may be refused. In addition, the target executable file can be deleted, so that the safety of the Internet of things equipment is further improved.
In some embodiments, the target behavior comprises a process start behavior;
in the case that the target behavior is monitored, determining the target executable file associated with the target behavior includes:
Under the condition that the starting behavior of the process is monitored, determining an executable file corresponding to the currently started process as a target executable file;
The allowing the target behavior to occur includes:
Allowing a currently started process to run;
Blocking the target behavior includes:
And stopping the currently started process.
Taking the example that the target behavior includes a process start behavior.
For example, during the operation of the internet of things device, the process start behavior may be monitored.
Under the condition that the starting behavior of the process is monitored, an executable file corresponding to the currently started process can be determined to be a target executable file, and a unique check value of the target executable file is determined by utilizing a preset algorithm.
In the case where the unique check value of the target executable file is determined, the unique check value of the target executable file may be matched in the manner described in the above embodiments.
In the case that the match is successful, the currently started process may be allowed to run.
In case of a failure of the match, the currently started process may be terminated, i.e. the currently started process is prohibited from running.
In some embodiments, the unique check value of the executable file stored in the device firmware of the internet of things device is stored in a security component of the internet of things device, and the security component is constructed by taking the unique check value of all executable files generated in the construction process of other sub-components except the security component in the construction process of the device firmware as a construction dependency.
For example, in the construction process of the device firmware of the internet of things device, a security component may be additionally added, where the security component may use the unique check value of each executable file in the executable files generated in the construction process of all sub-components except the security component in the construction process of the device firmware as a construction dependency, that is, in the construction process of the security component, the unique check value of each executable file in the executable files generated in the construction process of all other sub-components in the construction process of the device firmware needs to be acquired, and the acquired unique check value of each executable file is used as the construction dependency of the security component.
By constructing the security component in the above manner, the security component can acquire the unique check value of each executable file in all executable files generated in the construction process of other sub-components, and store the unique check value of each executable file in all executable files generated in the construction process of the security component together with the unique check value of the executable file generated in the construction process of the component (security component), so that the security component can store the unique check value of each executable file in all executable files generated in the construction process of the device firmware.
It should be noted that, in the embodiment of the present application, in addition to the secure component construction may be performed in the above manner to obtain and store the unique check value of each executable file in all executable files generated in the device firmware construction process, the unique check value of each executable file generated in the device firmware construction process may also be obtained in the device firmware construction process, and stored in the designated storage space of the device firmware.
However, under the condition that security measures are taken on the internet of things device, a security component is generally required to be set in the device firmware (the security component can execute processing operations related to security protection in the operation process of the internet of things device), so that the collection and storage of the unique check value of each executable file in all executable files generated in the construction process of the device firmware can be realized without excessively changing the construction logic of the device firmware by taking the unique check value of each executable file in all executable files generated in the construction process of the device firmware as the construction dependence of the security component.
In the embodiment of the present application, when the security component is constructed in the above manner, the security protection processing flow described in the above embodiment may be implemented by the security component in the process of operating the device of the internet of things, and the unique verification value of each executable file in all executable files generated in the process of constructing the firmware of the device is used as a behavior baseline to verify the target executable file associated with the monitored target behavior.
In some embodiments, the unique check value of the executable file stored in the device firmware of the internet of things device is obtained by:
For any encapsulation tool chain in the encapsulation tool chain set, in the process of calling the encapsulation tool chain to construct a sub-component, the encapsulation tool chain is used for transmitting the construction parameters to the tool chain corresponding to the encapsulation tool chain, and the encapsulation tool chain is called to compile the construction parameters, wherein the encapsulation tool chain set is obtained by encapsulating each tool chain in the tool chain set in the equipment firmware construction process;
Scanning a construction result generated by the tool chain through the packaging tool chain to acquire an executable file included in the construction result generated by the tool chain;
Based on the executable files obtained through the packaging tool chains, a preset algorithm is utilized to determine the uniqueness check value of the executable files.
For example, in the process of building device firmware, it is generally necessary to build multiple sub-components, and based on the multiple sub-components, implement the building of the device firmware by using the multiple sub-components as the building dependencies of the device firmware.
In view of the fact that the executable files generated in the construction process may be packaged or encrypted when the device firmware is constructed, all the executable files generated in the construction process may not be acquired when the device firmware is constructed.
Based on this, in order to more fully collect executable files generated during the device firmware build process, the executable files may be collected during the compilation stage in the subcomponent build composition, i.e., during the compilation of build parameters using the tool chain.
In the process of constructing the device firmware, for any sub-component, the system (such as a continuous integrated system) can acquire construction parameters required for constructing the sub-component in the process of constructing the sub-component, and call a tool chain to compile the construction parameters so as to construct the sub-component.
In the process of compiling the construction parameters by calling the tool chain, an executable file is generated, and the generated executable file is contained in a construction result.
In order to achieve the above objective, in the embodiment of the present application, each tool chain in a tool chain set in a device firmware construction process may be encapsulated to obtain an encapsulated tool chain set.
Illustratively, encapsulating a tool chain may be understood as adding an encapsulation layer outside the tool chain that can transparent to build parameters and can scan executable files for build results produced by the tool chain.
Correspondingly, for any encapsulation tool chain in the encapsulation tool chain set, in the process of calling the encapsulation tool chain to construct the sub-component, the encapsulation tool chain can be used for transmitting the construction parameters to the tool chain corresponding to the encapsulation tool chain, calling the tool chain to compile the construction parameters, and scanning the construction result generated by the tool chain through the encapsulation tool chain to acquire the executable file included in the construction result generated by the tool chain.
For example, for executable files obtained through each encapsulation tool chain, a preset algorithm may be used to determine a unique verification value for the executable file.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
The device firmware of the internet of things device is generally composed of a plurality of sub-components, each sub-component can comprise different executable file sets, the sub-components are mutually dependent, the sub-components are finally packaged into the whole device firmware after being built, and the whole device firmware is burnt into the device, and is rarely changed once the whole device firmware is burnt.
For example, a process of constructing an individual sub-assembly may be seen in fig. 2.
As shown in FIG. 2, the build behavior of a sub-component may be described as a process of generating a build product using source code and build dependencies within a build process.
During the build process, the tool chain used (e.g., gcc/clang), the build system (e.g., cmake/make), and some build parameters (e.g., whether to turn on certain specific functions, default log levels, etc.) are typically involved.
It should be noted that, in an embedded system, the build system and build parameters for compiling the different sub-components may be different, but the tool chain is typically the same.
Based on fig. 2, the entire device firmware build flow can be seen in fig. 3.
As shown in FIG. 3, the build of the entire device firmware may be described as a sub-component build with multiple levels of dependencies. During the entire build process, all executable files that may be executed during subsequent device operations are generated.
Based on this, in this embodiment, a build process of all sub-components may be interposed, and in the process of generating a build product, executable files therein are extracted, and hash values are calculated.
In this embodiment, as shown in fig. 4, a new sub-component (may be referred to as a security component) is added in the building process of the device firmware, and the security component may use hash values of all executable files generated by other sub-components in the building process as a building dependency, so that the hash values of the executable files generated in the building process are used as a behavior baseline in the subsequent device operation stage, and validity check is performed on the executable files in the operation stage.
In this embodiment, the implementation procedure for obtaining the hash value of each executable file in all executable files generated in the device firmware construction process may include:
And S0, packaging the tool chain set (T0, T1..Tn) in the equipment firmware construction process to obtain a packaged tool chain set (W0, W1..Wn).
The tool chain Ti is illustratively encapsulated to yield an encapsulated tool chain Wi, where i=0, 1.
S1, in the process of calling the packaging tool chain Wi to construct the sub-component, the packaging tool chain Wi can transmit the construction parameters to Ti, and the Ti is called to compile.
S2, under the condition that Ti compiling is finished, the construction result generated by the tool chain Ti can be scanned through the packaging tool chain Wi, and an executable file set included in the construction result generated by the tool chain is obtained.
S3, performing hash value calculation on each executable file in the executable file set.
S4, repeating the process for all other sub-components until all other sub-components are constructed, obtaining hash values (which can be recorded as B1) of all executable files, transmitting the hash values to the security component as construction dependencies, and storing the obtained hash values of the executable files of all other sub-components and the hash values of the executable files generated in the construction process of the security component in the security component.
It should be noted that, the construction of the security component may include other information besides the hash value of each executable file in all the executable files, which is not limited in this embodiment of the present application.
In this embodiment, under the condition that the construction of the device firmware is completed according to the above, in the operation process of the internet of things device, the internet of things device may obtain the hash values of each execution file in all executable files generated in the device firmware process from the security component, and may automatically identify the malicious program by using the hash values of each execution file in all executable files generated in the device firmware process as a behavior baseline, so as to implement security protection.
For example, the safety protection implementation flow in the running process of the device may include:
s1, monitoring file permission changing behaviors and process starting behaviors in a system in the running process of the Internet of things equipment.
S2, under the condition that the file permission changing behavior is monitored, determining whether the file aimed at by the file permission changing behavior is an executable file, if so, turning to S3, otherwise, turning to S1.
S3, carrying out hash value calculation on the executable file, and matching the hash value of the executable file in B1. If the matching is successful, the method goes to S1, and if the matching is failed, the method goes to S4.
S4, deleting the executable file, recording the event, and turning to S1.
S5, under the condition that the starting behavior of the process is monitored, carrying out hash value calculation on an executable file corresponding to the currently started process, and matching the hash value of the executable file in the B1. If the matching is successful, the process goes to S6, and if the matching is failed, the process goes to S7.
S6, releasing the process, and turning to S1.
And S7, terminating the process, and turning to S1.
The method provided by the application is described above. The device provided by the application is described below:
referring to fig. 5, a schematic structural diagram of an internet of things device security protection apparatus based on a behavior baseline according to an embodiment of the present application is shown in fig. 5, where the internet of things device security protection apparatus based on the behavior baseline may include:
the monitoring unit 510 is configured to monitor a target behavior during an operation process of the internet of things device, where the target behavior includes a behavior related to execution of an executable file;
The determining unit 520 is configured to determine, when a target behavior is monitored, a target executable file associated with the target behavior, and determine, by using a preset algorithm, a unique verification value of each executable file in the target executable file;
the matching unit 530 is configured to match the unique verification value of the target executable file with the unique verification value of the executable file stored in the device firmware of the internet of things device, where the unique verification value of the executable file stored in the device firmware of the internet of things device includes the unique verification values of all executable files generated in the device firmware building process;
And the protection unit 540 is used for allowing the target behavior to occur under the condition that the matching is successful, and blocking the target behavior under the condition that the matching is failed.
In some embodiments, the target behavior comprises a file permission change behavior for an executable file;
the monitoring unit 510 monitors the target behavior, including:
Monitoring file authority changing behaviors;
Under the condition that the file permission changing behavior is monitored, determining whether a file aimed at by the file permission changing behavior is an executable file or not;
And determining to monitor a target behavior under the condition that the file aimed at by the file permission changing behavior is an executable file, wherein the target executable file is the file aimed at by the file permission changing behavior.
In some embodiments, the blocking the target behavior by the guard unit 540 includes:
And refusing to change the authority of the target executable file, and deleting the target executable file.
In some embodiments, the target behavior comprises a process start behavior;
In the case that the target behavior is monitored, determining the target executable file associated with the target behavior comprises the following steps:
Under the condition that the starting behavior of the process is monitored, determining an executable file corresponding to the currently started process as the target executable file;
the allowing the target behavior to occur includes:
Allowing a currently started process to run;
The blocking the target behavior comprises:
And stopping the currently started process.
In some embodiments, the unique check value of the executable file stored in the device firmware of the internet of things device is stored in a security component of the internet of things device, and the security component is constructed by taking the unique check value of each executable file in all executable files generated in the construction process of other sub-components except the security component in the construction process of the device firmware as a construction dependency.
In some embodiments, the unique check value of the executable file stored in the device firmware of the internet of things device is generated by:
For any encapsulation tool chain in an encapsulation tool chain set, in the process of calling the encapsulation tool chain to construct a sub-component, transmitting a construction parameter to the tool chain corresponding to the encapsulation tool chain through the encapsulation tool chain, and calling the tool chain to compile the construction parameter, wherein the encapsulation tool chain set is obtained by encapsulating each tool chain in the tool chain set in the equipment firmware construction process;
Scanning a construction result generated by the tool chain through the packaging tool chain to acquire an executable file included in the construction result generated by the tool chain;
and determining the uniqueness check value of the executable file by utilizing the preset algorithm based on the executable file acquired through each packaging tool chain.
In some embodiments, the preset algorithm is a hash algorithm, and the unique check value is a hash value.
The embodiment of the application also provides the electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing the computer program, and the processor is used for realizing the Internet of things equipment safety protection method based on the behavior baseline when executing the program stored on the memory.
Fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 601, a memory 602 storing machine-executable instructions. The processor 601 and memory 602 may communicate via a system bus 603. And, by reading and executing the machine executable instructions corresponding to the internet of things device security protection logic based on the behavior baseline in the memory 602, the processor 601 may execute the internet of things device security protection method based on the behavior baseline described above.
The memory 602 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, the machine-readable storage medium may be RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state disk, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 602 in fig. 6, is also provided, having stored therein machine-executable instructions that when executed by a processor implement the above-described behavior baseline-based internet of things device security protection method. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The embodiment of the application also provides a computer program product, which stores a computer program and causes a processor to execute the method for protecting the Internet of things equipment based on the behavior baseline.
The embodiment of the application also provides an Internet of things equipment safety protection system based on the behavior baseline, which comprises a continuous integrated system and Internet of things equipment, wherein:
the continuous integrated system is used for acquiring all the generated executable files in the construction process of the equipment firmware, determining the unique check value of each executable file by utilizing a preset algorithm, and storing the unique check value of each executable file in the equipment firmware;
the internet of things device is used for monitoring target behaviors in a device running process, wherein the target behaviors comprise behaviors related to execution of executable files, the target executable files related to the target behaviors are determined under the condition that the target behaviors are monitored, the unique check values of the target executable files are determined by means of a preset algorithm, the unique check values of the target executable files are matched with the unique check values of the executable files stored in device firmware of the internet of things device, the unique check values of the executable files stored in the device firmware of the internet of things device comprise the unique check values of all executable files generated in a device firmware building process, the unique check values of the executable files are determined by means of the preset algorithm, under the condition that matching is successful, the target behaviors are allowed to occur, and under the condition that matching is failed, the target behaviors are blocked.
The continuous integrated system is a system independent of the internet of things device and is used for generating device firmware of the internet of things device.
For example, a specific implementation of the persistent integrated system to determine the unique check value of each executable file in all executable files generated in the device firmware construction process may be referred to the related description in the above embodiment.
By way of example, the internet of things device may implement security protection in the manner described in the above embodiments.
Claims (9)
1. The Internet of things equipment safety protection method based on the behavior baseline is characterized by being applied to the Internet of things equipment, and comprises the following steps:
Monitoring target behaviors in the running process of the Internet of things equipment, wherein the target behaviors comprise behaviors related to execution of executable files;
Under the condition that the target behavior is monitored, determining a target executable file associated with the target behavior, and determining a uniqueness check value of the target executable file by utilizing a preset algorithm;
The method comprises the steps of matching the unique check value of the target executable file with the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment, wherein the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment comprises unique check values of all executable files generated in the equipment firmware construction process, the unique check value of the executable file is determined by utilizing the preset algorithm, the unique check value of the executable file stored in the equipment firmware of the Internet of things equipment is stored in a safety component of the Internet of things equipment, and the safety component is constructed by taking the unique check value of each executable file in all executable files generated in the equipment firmware construction process except the safety component as construction dependency;
allowing the target behavior to occur if the matching is successful;
And blocking the target behavior in case of failure of matching.
2. The method of claim 1, wherein the target behavior comprises a file permission change behavior for an executable file;
the monitoring of the target behavior comprises the following steps:
Monitoring file authority changing behaviors;
Under the condition that the file permission changing behavior is monitored, determining whether a file aimed at by the file permission changing behavior is an executable file or not;
determining to monitor a target behavior when the file aimed at by the file permission changing behavior is an executable file, wherein the target executable file is the file aimed at by the file permission changing behavior;
Wherein blocking the target behavior comprises:
And refusing to change the authority of the target executable file, and deleting the target executable file.
3. The method of claim 1, wherein the target behavior comprises a process start-up behavior;
In the case that the target behavior is monitored, determining the target executable file associated with the target behavior comprises the following steps:
Under the condition that the starting behavior of the process is monitored, determining an executable file corresponding to the currently started process as the target executable file;
the allowing the target behavior to occur includes:
Allowing a currently started process to run;
The blocking the target behavior comprises:
And stopping the currently started process.
4. A method according to any of claims 1-3, wherein the unique check value of the executable file stored in the device firmware of the internet of things device is generated by:
For any encapsulation tool chain in an encapsulation tool chain set, in the process of calling the encapsulation tool chain to construct a sub-component, transmitting a construction parameter to the tool chain corresponding to the encapsulation tool chain through the encapsulation tool chain, and calling the tool chain to compile the construction parameter, wherein the encapsulation tool chain set is obtained by encapsulating each tool chain in the tool chain set in the equipment firmware construction process;
Scanning a construction result generated by the tool chain through the packaging tool chain to acquire an executable file included in the construction result generated by the tool chain;
and determining the uniqueness check value of the executable file by utilizing the preset algorithm based on the executable file acquired through each packaging tool chain.
5. A method according to any one of claims 1-3, wherein the predetermined algorithm is a hash algorithm and the unique check value is a hash value.
6. An internet of things device safety protection device based on a behavior baseline, characterized in that the device is deployed in an internet of things device, the device comprising:
The monitoring unit is used for monitoring target behaviors in the running process of the Internet of things equipment, wherein the target behaviors comprise behaviors related to the execution of executable files;
the determining unit is used for determining a target executable file associated with the target behavior under the condition that the target behavior is monitored, and determining a uniqueness check value of the target executable file by utilizing a preset algorithm;
the device comprises a matching unit, a security component and a security component, wherein the matching unit is used for matching the unique check value of the target executable file with the unique check value of the executable file stored in the device firmware of the Internet of things device, the unique check value of the executable file stored in the device firmware of the Internet of things device comprises the unique check value of each executable file in all executable files generated in the device firmware construction process, the unique check value of each executable file is determined by using the preset algorithm, the unique check value of the executable file stored in the device firmware of the Internet of things device is stored in the security component of the Internet of things device, and the security component is constructed by taking the unique check value of each executable file in all executable files generated in the device firmware construction process except the security component as a construction dependency;
and the protection unit is used for allowing the target behavior to occur under the condition that the matching is successful, and blocking the target behavior under the condition that the matching is failed.
7. An electronic device comprising a processor and a memory, wherein,
A memory for storing a computer program;
A processor for implementing the method of any of claims 1-5 when executing a program stored on a memory.
8. A computer program product, characterized in that the computer program product has stored therein a computer program which, when executed by a processor, implements the method of any of claims 1-5.
9. The Internet of things equipment safety protection system based on the behavior baseline is characterized by comprising a continuous integrated system and Internet of things equipment, wherein:
The continuous integrated system is used for acquiring all the generated executable files in the construction process of the equipment firmware, determining the unique check value of each executable file by utilizing a preset algorithm, and storing the unique check value of each executable file in the equipment firmware; the security component builds by taking the unique check value of each executable file in all executable files generated in the construction process of other sub-components except the security component in the construction process of the equipment firmware as a construction dependency;
the internet of things device is used for monitoring target behaviors in a device running process, wherein the target behaviors comprise behaviors related to execution of executable files, the target executable files related to the target behaviors are determined under the condition that the target behaviors are monitored, the unique check values of the target executable files are determined by means of a preset algorithm, the unique check values of the target executable files are matched with the unique check values of the executable files stored in device firmware of the internet of things device, the unique check values of the executable files stored in the device firmware of the internet of things device comprise the unique check values of all executable files generated in a device firmware building process, the unique check values of the executable files are determined by means of the preset algorithm, under the condition that matching is successful, the target behaviors are allowed to occur, and under the condition that matching is failed, the target behaviors are blocked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411412766.0A CN118944981B (en) | 2024-10-10 | 2024-10-10 | Internet of things equipment safety protection method, equipment and system based on behavior baseline |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411412766.0A CN118944981B (en) | 2024-10-10 | 2024-10-10 | Internet of things equipment safety protection method, equipment and system based on behavior baseline |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118944981A CN118944981A (en) | 2024-11-12 |
| CN118944981B true CN118944981B (en) | 2025-01-03 |
Family
ID=93346681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411412766.0A Active CN118944981B (en) | 2024-10-10 | 2024-10-10 | Internet of things equipment safety protection method, equipment and system based on behavior baseline |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118944981B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116257888A (en) * | 2021-12-09 | 2023-06-13 | 华为技术有限公司 | Verification method and related device |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8832829B2 (en) * | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
| US10783246B2 (en) * | 2017-01-31 | 2020-09-22 | Hewlett Packard Enterprise Development Lp | Comparing structural information of a snapshot of system memory |
| CN109375945B (en) * | 2018-08-28 | 2022-04-12 | 中国人民解放军国防科技大学 | Firmware version detection method and vulnerability repair rate evaluation method for Internet of things equipment |
| CN110677388B (en) * | 2019-09-03 | 2023-04-18 | 东南大学 | TrustZone-based method for measuring integrity of terminal process of Internet of things |
| CN116737526A (en) * | 2022-03-01 | 2023-09-12 | 华为技术有限公司 | A code segment dynamic measurement method, device and electronic equipment |
| CN117707497A (en) * | 2022-09-07 | 2024-03-15 | 苏州福瑞思信息科技有限公司 | Management system and management method of firmware library |
| CN116738421A (en) * | 2023-06-09 | 2023-09-12 | 杭州安恒信息技术股份有限公司 | Hash matching method and device for executable file and computer equipment |
| CN117714143A (en) * | 2023-12-13 | 2024-03-15 | 戎码科技(北京)有限公司 | Process white utilization behavior detection method, device, equipment and medium |
| CN118192987A (en) * | 2024-04-17 | 2024-06-14 | 广州博冠信息科技有限公司 | Source code construction method and device, computer program product and electronic equipment |
-
2024
- 2024-10-10 CN CN202411412766.0A patent/CN118944981B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116257888A (en) * | 2021-12-09 | 2023-06-13 | 华为技术有限公司 | Verification method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118944981A (en) | 2024-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8132257B2 (en) | Anti-virus method based on security chip | |
| US20250015999A1 (en) | Security Privilege Escalation Exploit Detection and Mitigation | |
| RU2454705C1 (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
| JP2019521400A (en) | Detecting speculative exploit attempts | |
| US11449602B1 (en) | Systems and methods for generating trust binaries | |
| CN110348180B (en) | A kind of application program startup control method and device | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| CN116992438A (en) | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine | |
| CN111931192B (en) | rootkit detection method and device and electronic equipment | |
| US20190121975A1 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| CN118944981B (en) | Internet of things equipment safety protection method, equipment and system based on behavior baseline | |
| RU2468427C1 (en) | System and method to protect computer system against activity of harmful objects | |
| CN116663005B (en) | Method, device, equipment and storage medium for defending composite Lesu virus | |
| KR100745639B1 (en) | How to protect file systems and registries and their devices | |
| US12299120B2 (en) | Systems and methods for preventing hollowing attack | |
| US11928205B1 (en) | Systems and methods for implementing cybersecurity using blockchain validation | |
| US11822647B1 (en) | Data structure for trust store | |
| JP2019220132A (en) | System and method of adapting patterns of dangerous behavior of programs to computer systems of users | |
| CN115982696A (en) | Starting control method of industrial software, electronic equipment and storage medium | |
| CN114282213A (en) | Method and device for defending against voltage error injection attack and system on chip | |
| US12346430B1 (en) | Systems and methods for implementing cybersecurity using trust binaries | |
| CN119903516B (en) | Malicious software detection method and device, electronic equipment and storage medium | |
| CN113836542B (en) | Trusted white list matching method, system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |