Search

CN-122027316-A - Internet of things equipment safety protection system

CN122027316ACN 122027316 ACN122027316 ACN 122027316ACN-122027316-A

Abstract

The application discloses a safety protection system of Internet of things equipment, which comprises an analysis engine, SDWAN nodes and Internet of things sites, wherein the analysis engine is configured to analyze mirror image data in real time through a machine learning model, calculate behavior deviation degree through an isolation forest algorithm, trigger an alarm event if the behavior deviation degree exceeds a preset threshold, send first instruction information and second instruction information or the first instruction information to a strategy executor if the behavior deviation degree exceeds a first preset threshold, send the second instruction information to the strategy executor if the behavior deviation degree exceeds a second preset threshold and does not exceed the first preset threshold, and the strategy executor is configured to dynamically isolate the Internet of things sites which do not meet preset rules according to the first instruction information and/or send differential patch packages to the Internet of things sites according to the second instruction information. The method and the system can improve the safety and stability of the Internet of things site equipment.

Inventors

  • LU KAIZHI
  • ZUO SHAOZHOU
  • GONG XIAO
  • ZHOU ZHIMING

Assignees

  • 深圳市宏电技术股份有限公司
  • 深圳市宏电智能科技有限公司

Dates

Publication Date
20260512
Application Date
20260305

Claims (10)

  1. 1. The system is characterized by comprising an analysis engine, SDWAN nodes and an Internet of things site, wherein the SDWAN nodes comprise a strategy executor, and the Internet of things site comprises a monitoring device; The analysis engine is in communication connection with a plurality of SDWAN nodes, and each SDWAN node is in communication connection with at least one Internet of things site and other SDWAN nodes; The monitoring device is configured to perform flow mirroring operation on data packets flowing through the heterogeneous network to obtain mirrored data; the Internet of things site is configured to send the mirror image data to the analysis engine through the SDWAN node by an IP network; The analysis engine is configured to analyze the mirror image data in real time through a machine learning model, calculate a behavior deviation degree by using an isolated forest algorithm, trigger an alarm event if the behavior deviation degree exceeds a preset threshold, send first instruction information and second instruction information to the strategy executor if the behavior deviation degree exceeds a first preset threshold, or send the second instruction information to the strategy executor if the behavior deviation degree exceeds a second preset threshold and does not exceed the first preset threshold; The policy executor is configured to dynamically isolate the internet of things station which does not accord with a preset rule according to the first instruction information and/or send a differential patch package to the internet of things station according to the second instruction information.
  2. 2. The system of claim 1, wherein the policy executor issues a flow table rule to the SDWAN node through an API interface according to the first instruction information.
  3. 3. The system of claim 2, wherein the SDWAN node further comprises a controller, wherein the controller is configured to synchronize the flow table rules to all the internet of things sites, the internet of things sites identify malicious device traffic according to the flow table rules, discard/redirect the malicious device traffic if the malicious device traffic matches the flow table rules, and forward the malicious device traffic normally if the malicious device traffic does not match the flow table rules.
  4. 4. The system of claim 1, wherein the policy enforcer scans for asset library matches for affected devices based on the second instruction information, and sends the differential patch package to an internet of things site connected to the affected devices to update the affected devices.
  5. 5. The internet of things device security protection system of claim 4, wherein the affected device reports an update result to the internet of things site, and the monitoring device is configured to verify the update result to obtain a verification result.
  6. 6. The internet of things device security system of claim 5, wherein the policy enforcer updates the asset status of the asset library based on the validation result.
  7. 7. The internet of things device security protection system of claim 1, wherein the analysis engine performs metadata extraction on the mirrored data to obtain a fused multidimensional feature, wherein the multidimensional feature comprises a protocol feature, a time sequence feature, a data volume feature, and a client feature.
  8. 8. The internet of things device security system of claim 1, wherein during a training phase of the machine learning model, the analysis engine is further configured to learn a behavior pattern of a normal device.
  9. 9. The internet of things device security system of claim 1, wherein the analysis engine is further configured to perform Rootkit feature matching on the mirrored data, and trigger the alert event if matching is successful.
  10. 10. A safety protection device is characterized in that, The security device comprises the internet of things device security system of any one of claims 1 to 9.

Description

Internet of things equipment safety protection system Technical Field The application relates to the technical field of the Internet of things, in particular to a safety protection system of equipment of the Internet of things. Background At present, the number of the devices of the Internet of things is increased, but the safety protection of the devices has a natural short board, namely the devices are limited in resources and difficult to deploy the traditional safety agents, the network topology is dynamically changed, the boundary is fuzzy, and the attack surface covers multiple layers such as hardware, firmware, communication protocols and the like. In the prior art, a process monitoring tool is generally arranged at the equipment end, however, the resource consumption of the scheme is large, the scheme cannot be suitable for low-power equipment, and meanwhile, the static rule detection has high report missing rate and the vulnerability repair is passively lagged. Disclosure of Invention The application aims to provide a safety protection system for Internet of things equipment, which aims to solve the technical problems of lag response and insufficient isolation mechanism of the existing protection system in the prior art. The preferred technical solutions of the technical solutions provided by the present application can produce a plurality of technical effects described below. In order to achieve the above purpose, the present application provides the following technical solutions: The Internet of things equipment safety protection system comprises an analysis engine, SDWAN nodes and Internet of things sites, wherein the SDWAN nodes comprise a strategy executor, the Internet of things sites comprise a monitoring device, the analysis engine is in communication connection with a plurality of SDWAN nodes, each SDWAN node is in communication connection with at least one Internet of things site and other SDWAN nodes, the monitoring device is configured to conduct flow mirroring operation on data packets flowing through a heterogeneous network to obtain mirror image data, the Internet of things sites are configured to send the mirror image data to the analysis engine through an IP network through the SDWAN nodes, the analysis engine is configured to conduct real-time analysis on the mirror image data through a machine learning model, a behavior deviation degree is calculated by using an isolated forest algorithm, an alarm event is triggered if the behavior deviation degree exceeds a preset threshold, first instruction information and second instruction information or the first instruction information is sent to the strategy executor the second instruction information is sent to the strategy executor the Internet of things site according to the preset, and/or the strategy is not sent to the second instruction information is not sent to the strategy executor according to the preset threshold. In some embodiments, the policy executor issues a flow table rule to the SDWAN node through an API interface according to the first instruction information. In some embodiments, the SDWAN node further includes a controller configured to synchronize the flow table rule to all the internet of things sites, where the internet of things sites identify malicious device traffic according to the flow table rule, discard/redirect the malicious device traffic if the malicious device traffic matches the flow table rule, and forward the malicious device traffic normally if the malicious device traffic does not match the flow table rule. In some embodiments, the policy executor scans an asset library for matching an affected device according to the second instruction information, and sends the differential patch package to an internet of things site connected with the affected device to update the affected device. In some embodiments, the affected device reports an update result to the internet of things site, and the monitoring device is configured to verify the update result to obtain a verification result. In some embodiments, the policy enforcer updates the asset status of the asset library based on the validation result. In some embodiments, the analysis engine performs metadata extraction on the mirrored data to obtain a fused multidimensional feature, where the multidimensional feature includes a protocol feature, a timing feature, a data volume feature, and a client feature. In some embodiments, during a training phase of the machine learning model, the analysis engine is further configured to learn a behavior pattern of a normal device. In some embodiments, the analysis engine is further configured to perform Rootkit feature matching on the mirrored data, and trigger the alert event if the matching is successful. A second aspect of the present application provides a safety protection device comprising an internet of things device safety protection system as described above. The method has the advantages that the monitori