CN-122001888-A - Security analysis method, device, equipment and storage medium for equipment group

Abstract

The application discloses a safety analysis method, a device, equipment and a storage medium of equipment groups, and relates to the technical field of the Internet of things, wherein the method comprises the steps of collecting equipment metadata of a plurality of target equipment, and generating a neighbor node load table by broadcasting registration based on the equipment metadata; the method comprises the steps of screening a neighbor node load table through a central point clustering algorithm to generate a device group, obtaining security events in the device group, classifying and packaging the security events to generate event objects, evaluating candidate nodes in the device group to determine target execution nodes in the device group, carrying out security analysis on the event objects through the target execution nodes to generate security policies and carrying out policy execution. By evaluating the resource state of the candidate node, the optimal target execution node is determined to bear a complex security analysis task, and analysis load is unloaded from the resource-restricted device to the node, so that the problem that single device is difficult to independently complete is solved, and the cluster security is improved.

Inventors

• LI YUE
• LI YAN
• FANG SHUIBO
• CHEN ZHILIE

Assignees

• 深圳市九牛一毛智能物联科技有限公司

Dates

Publication Date

20260508

Application Date

20260123

Claims (10)

1. 1. A security analysis method for a group of devices, the security analysis method for a group of devices comprising: Collecting device metadata of a plurality of target devices, and generating a neighbor node load table by broadcasting registration based on the device metadata; Screening the adjacent node load table through a central point clustering algorithm to generate a device group corresponding to the target device; acquiring a security event in the equipment group, classifying and packaging the security event, and generating an event object; evaluating candidate nodes in the equipment group based on the neighbor node load table, and determining target execution nodes in the equipment group; and carrying out security analysis on the event object through the target execution node, generating a security policy corresponding to the event object and carrying out policy execution.
2. 2. The method for security analysis of a device group according to claim 1, wherein the step of screening the neighbor node load table by a center point clustering algorithm to generate the device group corresponding to the target device comprises: Filtering based on the neighbor node load table, and determining candidate equipment in the neighbor node load table; Calculating load distances between the candidate devices, and determining a target centroid node of the device group based on the load distances; and according to the group information sent by the target centroid node, constructing a device group of the target device.
3. 3. The method of security analysis of a group of devices of claim 2, wherein the step of calculating a load distance between the candidate devices, and determining a target centroid node of the group of devices based on the load distance comprises: Calculating the load distance between the candidate devices according to the CPU load value and the memory use value of the candidate devices; And determining an initial centroid node of the equipment group, iteratively calculating total load distances from other candidate nodes to the initial centroid node, and determining a target centroid node of the equipment group based on the total load distances.
4. 4. The method of security analysis of a group of devices of claim 1, wherein the step of obtaining security events in the group of devices, classifying and encapsulating the security events, and generating event objects comprises: acquiring security events in the equipment group through a hook point in a eBPF program; Distributing corresponding behavior classification labels to the security events according to the hook point types corresponding to the security events; and according to the behavior classification label, carrying out aggregation packaging on the security event to generate a corresponding event object.
5. 5. The method of security analysis of a group of devices of claim 1, wherein the step of evaluating candidate nodes in the group of devices based on the neighbor node load table, determining a target execution node in the group of devices comprises: Acquiring the equipment metadata of the candidate nodes based on the neighbor node load table; performing scoring calculation on the candidate nodes according to the equipment metadata to obtain comprehensive capacity scores of the candidate nodes; and determining a target execution node in the equipment group according to the comprehensive capacity score.
6. 6. The security analysis method of claim 1, wherein the step of performing security analysis on the event object by the target execution node, generating a security policy corresponding to the event object, and performing policy execution comprises: Acquiring a safety analysis actuator from a preset actuator pool; Operating the safety analysis executor through the target execution node, carrying out safety analysis on the event object, and generating a safety analysis result of the event object; And generating a corresponding security policy based on the security analysis result, and executing the policy in the source equipment.
7. 7. The security analysis method of claim 6, wherein the generating the corresponding security policy for policy enforcement at the source device based on the security analysis result comprises: performing semantic conversion on the security analysis result; Inquiring a predefined strategy mapping table according to the security analysis result after semantic conversion, and determining target decision data corresponding to the security analysis result; and integrating the target decision data to generate a security policy, and transmitting the security policy to the source equipment for policy execution.
8. 8. A security analysis apparatus for a group of devices, the security analysis apparatus comprising: The data acquisition module is used for acquiring device metadata of a plurality of target devices, and generating a neighbor node load table by broadcasting registration based on the device metadata; The group construction module is used for screening the adjacent node load table through a central point clustering algorithm to generate a device group corresponding to the target device; the object packaging module is used for acquiring the security event in the equipment group, classifying and packaging the security event and generating an event object; The node evaluation module is used for evaluating candidate nodes in the equipment group based on the adjacent node load table and determining target execution nodes in the equipment group; And the strategy executing module is used for carrying out safety analysis on the event object through the target executing node, generating a safety strategy corresponding to the event object and carrying out strategy execution.
9. 9. A security analysis device of a group of devices, characterized in that the device comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of the security analysis method of a group of devices according to any one of claims 1 to 7.
10. 10. A storage medium, characterized in that the storage medium is a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the security analysis method of a group of devices according to any one of claims 1 to 7.

Description

Security analysis method, device, equipment and storage medium for equipment group Technical Field The present application relates to the field of internet of things, and in particular, to a security analysis method, apparatus, device, and storage medium for a device group. Background With the rapid growth of the equipment scale and the increasing diversification of the equipment form of the Internet of things, the security threat faced under the environment of the Internet of things is more and more complex, and higher requirements are put on the local security protection capability of the equipment. Currently, common internet of things security schemes rely primarily on security agents that end up in a user state at the device. The scheme is used for monitoring and safety analysis of activities such as equipment behaviors, network connection, file access and the like by installing resident processes or services on the equipment operating system level. When abnormal behavior is detected, the agent program can execute preset response strategies, such as blocking network connection, terminating suspicious processes and the like, so as to achieve the aim of safety protection. However, such prior art solutions based on user-mode agents have a significant disadvantage in that their security detection and analysis functionality is entirely dependent on the local computing resources of a single device. On the internet of things equipment with limited resources, particularly an embedded terminal with low power consumption and low computation power, a complex security analysis algorithm is operated to obviously occupy core resources such as a CPU (central processing unit), a memory and the like of the equipment, so that the service function performance of the equipment is possibly reduced, and effective real-time security protection is difficult to realize when the analysis task load is higher, thereby forming a prominent contradiction between the protection performance and the equipment resources. The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present application and is not intended to represent an admission that the foregoing is prior art. Disclosure of Invention The application mainly aims to provide a safety analysis method, a device, equipment and a storage medium for equipment groups, and aims to solve the technical problem that a single Internet of things device is difficult to independently complete complex safety analysis due to limited resources. In order to achieve the above object, the present application provides a security analysis method for a device group, the method comprising: Collecting device metadata of a plurality of target devices, and generating a neighbor node load table by broadcasting registration based on the device metadata; Screening the adjacent node load table through a central point clustering algorithm to generate a device group corresponding to the target device; acquiring a security event in the equipment group, classifying and packaging the security event, and generating an event object; evaluating candidate nodes in the equipment group based on the neighbor node load table, and determining target execution nodes in the equipment group; and carrying out security analysis on the event object through the target execution node, generating a security policy corresponding to the event object and carrying out policy execution. In an embodiment, the step of screening the neighbor node load table by using a central point clustering algorithm to generate the device group corresponding to the target device includes: Filtering based on the neighbor node load table, and determining candidate equipment in the neighbor node load table; Calculating load distances between the candidate devices, and determining a target centroid node of the device group based on the load distances; and according to the group information sent by the target centroid node, constructing a device group of the target device. In an embodiment, the step of calculating a load distance between the candidate devices, determining a target centroid node of the group of devices based on the load distance comprises: Calculating the load distance between the candidate devices according to the CPU load value and the memory use value of the candidate devices; And determining an initial centroid node of the equipment group, iteratively calculating total load distances from other candidate nodes to the initial centroid node, and determining a target centroid node of the equipment group based on the total load distances. In an embodiment, the step of obtaining the security event in the device group, classifying and packaging the security event, and generating the event object includes: acquiring security events in the equipment group through a hook point in a eBPF program; Distributing corresponding behavior classification labels to the security events according to th