[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113660291A - Method and device for preventing malicious tampering of intelligent large-screen display information - Google Patents

Method and device for preventing malicious tampering of intelligent large-screen display information Download PDF

Info

Publication number
CN113660291A
CN113660291A CN202111212042.8A CN202111212042A CN113660291A CN 113660291 A CN113660291 A CN 113660291A CN 202111212042 A CN202111212042 A CN 202111212042A CN 113660291 A CN113660291 A CN 113660291A
Authority
CN
China
Prior art keywords
information
large screen
target communication
intelligent large
communication flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111212042.8A
Other languages
Chinese (zh)
Other versions
CN113660291B (en
Inventor
王滨
刘松
李志强
万里
张峰
闫琛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202111212042.8A priority Critical patent/CN113660291B/en
Publication of CN113660291A publication Critical patent/CN113660291A/en
Application granted granted Critical
Publication of CN113660291B publication Critical patent/CN113660291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a method and a device for preventing malicious tampering of intelligent large-screen display information, wherein the method comprises the following steps: monitoring communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode; carrying out flow analysis on the monitored communication flow, and identifying a target communication flow in the monitored communication flow; analyzing the target communication flow, and determining whether display information in the target communication flow is malicious information; when the display information in the first target communication flow is determined to be malicious information, the display information of the first intelligent large screen is set to be white information according to the recorded password of the first intelligent large screen. The method can improve the safety of the displayed information of the intelligent large screen.

Description

Method and device for preventing malicious tampering of intelligent large-screen display information
Technical Field
The application relates to the field of data security, in particular to a method and a device for preventing malicious tampering of intelligent large-screen display information.
Background
The screen is an internet of things device, and with the development of the IP and the intelligence of the screen, the screen is a screen-like era in the future.
At present, an intelligent large screen such as an outdoor LED screen and a traffic guidance screen is visible everywhere, and has the characteristics of openness and sharing; the two characteristics of the intelligent large screen are easy to stare at by an attacker, so that the intelligent large screen becomes a way for the attacker to spread malicious information.
An attacker breaks through an information issuing device (such as an information issuing platform) of the intelligent large screen to issue malicious information or maliciously tampers with the display information sent to the intelligent large screen by means of hackers, so that the purpose of spreading the malicious information is achieved.
In the prior art, protection of the intelligent large screen is usually realized by deploying malicious information scanning software on a target host and detecting whether a malicious file or a malicious program exists in the host, but the methods cannot effectively detect the problem that the information of the intelligent large screen is maliciously tampered.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for preventing malicious tampering of intelligent large-screen display information.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the embodiments of the present application, a method for preventing malicious tampering of intelligent large-screen display information is provided, which is applied to a protection device, and the method includes:
monitoring communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode;
carrying out flow analysis on the monitored communication flow, and identifying a target communication flow in the monitored communication flow; the target communication flow is information to be issued sent to the intelligent large screen;
analyzing the target communication flow, and determining whether display information in the target communication flow is malicious information;
when the display information in the first target communication flow is determined to be malicious information, setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen; the first target communication traffic is the target communication traffic sent to the first smart large screen.
According to a second aspect of the embodiments of the present application, there is provided an intelligent large screen display information malicious tampering prevention device, including:
the monitoring unit is used for monitoring the communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode;
the identification unit is used for carrying out flow analysis on the monitored communication flow and identifying target communication flow in the monitored communication flow; the target communication flow is information to be issued sent to the intelligent large screen;
the determining unit is used for analyzing the target communication flow and determining whether display information in the target communication flow is malicious information;
the protection unit is used for setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen when the display information in the first target communication flow is determined to be malicious information; the first target communication traffic is the target communication traffic sent to the first smart large screen.
According to a third aspect of embodiments of the present application, there is provided an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor is configured to execute the machine-executable instructions to implement the method for protecting against malicious tampering of smart large-screen display information provided in the above first aspect.
According to a fourth aspect of embodiments of the present application, a machine-readable storage medium is provided, in which a computer program is stored, and when the computer program is executed by a processor, the method for protecting malicious tampering of intelligent large-screen display information provided by the first aspect is implemented.
The intelligent large-screen display information malicious tampering protection method of the embodiment of the application adopts a bypass monitoring mode, monitoring communication traffic on a link between the intelligent large screen and the message publishing platform, analyzing the monitored communication traffic, identifying target communication traffic in the monitored communication traffic, further, the target communication traffic may be parsed to determine whether the displayed information in the target communication traffic is malicious information, and when the display information in the first target communication flow is determined to be malicious information, setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen, therefore, when the display information of the intelligent large screen is maliciously tampered, the display information of the attacked intelligent large screen can be replaced by white information, harm caused when the intelligent large screen is attacked is reduced, and the safety of the display information of the intelligent large screen is improved.
Drawings
Fig. 1 is a flowchart illustrating a method for preventing malicious tampering of an intelligent large screen display information according to an exemplary embodiment of the present application;
fig. 2 is a schematic architecture diagram illustrating a specific application scenario according to an exemplary embodiment of the present application;
fig. 3 is a schematic diagram illustrating a flow chart of implementing malicious tampering protection for smart large-screen display information according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram illustrating an intelligent large-screen display device for malicious information tampering prevention according to an exemplary embodiment of the present application;
fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
It should be noted that, the sequence numbers of the steps in the embodiments of the present application do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Referring to fig. 1, a schematic flow chart of a method for preventing malicious tampering of information displayed on an intelligent large screen according to an embodiment of the present disclosure is shown, where the method for preventing malicious tampering of information displayed on an intelligent large screen can be applied to a protection device, as shown in fig. 1, the method for preventing malicious tampering of information displayed on an intelligent large screen can include:
and S100, monitoring the communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode.
In the embodiment of the application, it is considered that an attacker generally needs to borrow a link between the intelligent large screen and a message publishing platform when publishing malicious messages through the intelligent large screen.
In order to identify malicious information issued by an attacker in time, communication traffic on a link between the intelligent large screen and the message issuing platform can be monitored.
For example, in order to reduce the influence of traffic monitoring on normal communication traffic between the smart large screen and the message publishing platform, communication traffic on a link between the smart large screen and the message publishing platform may be monitored in a bypass monitoring manner.
For example, bypass traffic monitoring may be performed on a switching device in the middle of a link between the smart large screen and the message publishing platform, communication traffic received by the switching device is mirrored, and subsequent processing is performed according to the obtained mirrored communication traffic.
Step S110, carrying out flow analysis on the monitored communication flow, and identifying a target communication flow in the monitored communication flow; the target communication flow is information to be issued sent to the intelligent large screen.
In the embodiment of the application, it is considered that the display information displayed through the intelligent large screen generally needs to be carried in the message publishing information and sent to the intelligent large screen. When an attacker releases malicious information through an intelligent large screen, the malicious information also needs to be carried in the message release information.
Thus, malicious information for smart screens generally includes, but is not limited to, the following two features:
carrying malicious information in message release information;
and secondly, destination end equipment carrying malicious information and issuing information is an intelligent large screen.
Accordingly, the communication traffic monitored in step S100 may be subjected to traffic analysis, and whether the monitored communication traffic matches the two characteristics is identified from the perspective of the data format and the destination address information, so as to identify the information to be issued (referred to as a target communication traffic herein) sent to the smart screen in the monitored communication traffic.
And step S120, analyzing the target communication flow, and determining whether the display information in the target communication flow is malicious information.
In the embodiment of the application, the identified target communication traffic can be analyzed, the display information carried in the target communication traffic is extracted, and whether the display information carried in the target communication traffic is malicious information is determined.
For example, when it is determined that the displayed information in the target communication traffic is malicious information, the step S130 may be continuously performed; when the display information carried in the target communication traffic is determined not to be malicious information, monitoring of the communication traffic, identification of the target communication traffic, analysis of the target communication traffic and identification of the malicious information can be continuously performed.
Step S130, when the display information in the first target communication flow is determined to be malicious information, setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen; the first target communication flow is the target communication flow sent to the first intelligent large screen.
It should be noted that, in the embodiment of the present application, the first smart large screen does not refer to a fixed smart large screen, but refers to any smart large screen that performs malicious tamper protection on displayed information by using the technical solution provided in the embodiment of the present application.
In the embodiment of the application, when it is determined that the display information in the target communication traffic (referred to as the first target communication traffic herein) sent to the first smart large screen is malicious information, the display information of the first smart large screen may be set as white information according to the recorded password of the first smart large screen.
Illustratively, in order to replace malicious information in time when the malicious information is identified, passwords of all smart screens can be recorded.
Illustratively, when the smart large screen receives the message release information, the smart large screen authenticates the message release information release equipment according to the password, extracts the display information carried in the message release information after the authentication is passed, and displays the display information.
Illustratively, when it is determined that the display information in the first target communication traffic sent to the first smart large screen is malicious information, the information simulation issuing mode may be used to send the message issuing information carrying the display information as white information to the first smart large screen according to the recorded password of the first smart large screen, so that the first smart large screen updates the displayed display information as white information.
Illustratively, the white information may include blank information or other information that does not include valid information.
It can be seen that in the method flow shown in fig. 1, by monitoring the communication traffic on the link between the smart large screen and the message publishing platform in a bypass monitoring manner, and performs traffic analysis on the monitored communication traffic, identifies a target communication traffic among the monitored communication traffic, further, the target communication traffic may be parsed to determine whether the displayed information in the target communication traffic is malicious information, and when the display information in the first target communication flow is determined to be malicious information, setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen, therefore, when the display information of the intelligent large screen is maliciously tampered, the display information of the attacked intelligent large screen can be replaced by white information, harm caused when the intelligent large screen is attacked is reduced, and the safety of the display information of the intelligent large screen is improved.
In some embodiments, the identifying a target communication traffic among the monitored communication traffic in step S110 may include:
according to the recorded address information of the intelligent large screen, determining the communication flow of which the destination address is matched with the address information of the intelligent large screen in the monitored communication flow as a first type communication flow; and determining the first type communication flow of which the data format is matched with the data format of the preset message release information in the first type communication flow as the target communication flow according to the data format of the preset message release information.
Illustratively, when an attacker tampers with the display information of the intelligent large screen, malicious information is carried in the message publishing information and is sent to the intelligent large screen.
Therefore, in order to identify malicious information, the message issuing information sent to the smart large screen can be identified from the monitored communication traffic.
For example, the monitored communication traffic (referred to as the first type communication traffic herein) whose destination address matches the address information of the smart screen may be identified according to the recorded address information (e.g., IP address) of the smart screen.
For example, the communication traffic whose destination IP address is the IP address of the smart screen may be determined as the first type communication traffic based on the IP address of the smart screen.
For example, the recorded address information of the smart large screen may be identified and recorded in a pre-configured manner, or may be identified and recorded in a manner of analyzing the monitored communication traffic, and a specific implementation manner of the identification may be described below.
For example, for the identified first type of communication traffic, the message publishing information (i.e. the above target communication traffic) may be further identified from the first type of communication traffic according to a preset data format of the message publishing information, that is, the first type of traffic whose data format matches the preset data format of the message publishing information in the first type of communication traffic is determined as the target communication traffic.
In some embodiments, in step S120, parsing the target communication traffic to determine whether the display information in the target communication traffic is malicious information may include:
when the target communication flow is plaintext information, extracting display information in the target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information;
when the target communication flow is ciphertext information, decrypting the target communication flow according to the recorded password of the intelligent large screen, extracting display information in the decrypted target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information.
For example, it is contemplated that in some scenarios, when the message publishing platform sends message publishing information to the smart large screen, the message publishing information may be encrypted using a password of the smart large screen.
Accordingly, for the identified message distribution information (i.e., the above-mentioned target communication traffic) sent to the smart large screen, it can be identified as plaintext information or ciphertext information.
When the target communication flow is plaintext information, the display information in the target communication flow can be extracted according to a preset data format of the message release information, and whether the display information is malicious information or not is determined.
When the target communication flow is ciphertext information, the target communication flow can be decrypted according to the recorded password of the intelligent large screen, the display information in the decrypted target communication flow is extracted according to the preset data format of the message publishing information, and whether the display information is malicious information or not is determined.
In some embodiments, in the step S130, when it is determined that the display information in the first target communication traffic is malicious information, the method may further include:
and blocking the communication connection between the first intelligent large screen and other equipment, wherein the other equipment is equipment except the protective equipment in the equipment which is in communication connection with the first intelligent large screen.
For example, in order to avoid the second attack on the first smart large screen, when it is recognized that the display information in the message issuing information (i.e., the first target communication traffic) sent by the first smart large screen is malicious information, the communication connection between the first smart large screen and other devices may be blocked, so as to avoid the attacker device tampering the display information of the first smart large screen again.
For example, the communication connection between the first smart large screen and other devices, such as a TCP (Transmission Control Protocol) connection, may be blocked by sending a blocking packet to the first smart large screen.
In some embodiments, in step S130, when it is determined that the display information in the first target communication traffic is malicious information, the method may further include:
and updating the password of the first smart large screen.
For example, in order to avoid a secondary attack on the first smart large screen, when it is recognized that the display information in the message publishing information (i.e., the first target communication traffic) sent by the first smart large screen is malicious information, the password of the first smart large screen may be updated, so that an attacker cannot control the first smart large screen to display the malicious display information according to the password before updating.
For example, updating the password of the first smart large screen may include updating the password of the device stored in the first smart large screen and the password of the first smart large screen recorded by the security device.
In some embodiments, when it is determined that the display information in the first target communication traffic is malicious information, the method may further include:
and when the source equipment of the first target communication flow is the message publishing platform, blocking the communication connection between the message publishing platform and the intelligent large screen.
For example, when it is determined that the display information in the first target communication traffic is malicious information, the source device of the first target communication traffic may also be determined.
For example, a source device of the first target communication traffic is determined according to a source IP address of the first target communication traffic.
When the source device of the first target communication flow is determined to be the message publishing platform, namely malicious information is published to the first intelligent large screen by the message publishing platform, the message publishing platform can be determined to be maliciously attacked, and at the moment, the communication connection between the message publishing platform and the intelligent large screen can be blocked, so that the message publishing platform is prevented from publishing the malicious information to other intelligent large screens.
In some embodiments, before performing traffic analysis on the monitored communication traffic and identifying a target communication traffic in the monitored communication traffic in step S110, the method further includes:
identifying and recording address information of the intelligent large screen and address information of the message publishing platform;
and recording the corresponding relation between the address information and the password of each intelligent large screen according to the address information of the intelligent large screen and the acquired password of each intelligent large screen.
For example, the protection device may further identify and record address information of the smart large screen and address information of the message publishing platform, so as to identify traffic sent to the smart large screen according to the recorded address information of the smart large screen, and identify traffic sent by the message publishing platform according to the recorded address information of the message publishing platform.
Illustratively, the address information of the smart large screen can be acquired according to the response data packet returned by the smart large screen by sending a detection data packet specially aiming at the smart large screen, determining the response data packet returned by the smart large screen according to the received response data packet and the content of the data packet.
For example, after the smart large screen and the message publishing platform are deployed, the smart large screen may actively send a heartbeat data packet and a registration data packet to the message publishing platform, so that the address information of the message publishing platform may be identified according to the heartbeat data packet and the registration data packet in the monitored communication traffic and according to the destination addresses of the heartbeat data packet and the registration data packet.
In addition, the heartbeat data packet and the registration data packet can be sent to the same message publishing platform according to a plurality of intelligent large screens, so that the address information of the identified message publishing platform can be verified according to the condition that the destination addresses of the heartbeat data packet and the registration data packet sent by the plurality of intelligent large screens are the same.
Illustratively, when the address information of the smart large screen is recognized, the corresponding relation between the address information of each smart large screen and the password can be recorded according to the recognized address information of the smart large screen and the acquired password of each smart large screen.
Illustratively, the password of each smart large screen can be obtained by reading a configuration file.
For example, the address information of each smart large screen may be used to screen the target communication traffic from the monitored communication traffic.
The corresponding relation between the address information of the intelligent large screen and the password can be used for decrypting the identified ciphertext message issuing information, and when malicious information is identified, the display information corresponding to the intelligent large screen is replaced by white information.
It should be noted that whether the identified and recorded address information of the smart large screen is comprehensively identified can be determined in a manual verification mode, and the address information of the smart large screen which is not automatically identified can be completed in a manual input mode, so that the address information of the smart large screen can be recorded under the condition of consuming a small amount of manpower.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
Referring to fig. 2, an architecture diagram of a specific application scenario provided in the embodiment of the present application is shown in fig. 2, where the application scenario may include: the intelligent large screen, the message publishing platform, the exchange equipment on the link between the intelligent large screen and the message publishing platform (only one exchange equipment is shown in the figure) and the protection equipment.
In this embodiment, as shown in fig. 2, the protection device may mirror the communication traffic on the switching device, and identify whether malicious information is sent to the smart screen by performing traffic analysis on the mirrored communication traffic.
Illustratively, the guard device may include a traffic monitoring module, a password management module, a device blocking module, and an information simulation publishing module.
It should be noted that the protection device may be used as a single device, and connected to the switching device in a side-hanging manner; alternatively, the guard device may be integrally disposed in the switching device.
In addition, the modules may be collectively deployed in the same device, or may be distributed in different device forms, that is, the traffic monitoring module, the password management module, the device blocking module, and the information simulation issuing module may be deployed in different devices, so as to jointly form a protection device.
The following describes an implementation flow of malicious tampering protection of intelligent large-screen display information with reference to modules, as shown in fig. 3, the implementation flow may include the following steps:
s1, the traffic monitoring module monitors the communication traffic between the message publishing platform and the intelligent large screen, and records the IP address of each intelligent large screen and the IP address of the corresponding message publishing platform according to the monitored communication traffic.
For example, the communication monitoring module may be disposed by-pass between the message publishing platform and the smart large screen, and configured to monitor communication traffic between the message publishing platform and the smart large screen in a manner of by-pass monitoring, and record an IP address of the smart large screen and an IP address of the message publishing platform.
For example, taking the scenario shown in fig. 2 as an example, the communication monitoring module obtains, through traffic analysis and monitoring, that the IP addresses of the smart large screen are <192.168.1.1, 192.168.1.2, 192.168.1.3>, and stores the IP address list of the smart large screen; and the IP address of the message publishing platform is obtained by monitoring 192.168.1.8, and the IP address of the message publishing platform is stored.
S2, pushing the IP address of the intelligent large screen monitored by the flow monitoring module to the password management module, and recording the corresponding relation between the IP address of the intelligent large screen and the password by the password management module.
For example, the password management module and the communication listening module may communicate with each other using a standard API (Application Programming Interface) Interface.
Illustratively, the passwords corresponding to each smart large screen can be entered into the password management module one by one in an entry mode.
Illustratively, for the IP address of the smart large screen pushed by the traffic monitoring module, the smart large screen IP not found by the traffic monitoring module can be further verified and supplemented manually, and a corresponding password is supplemented.
Taking the scenario shown in fig. 2 as an example, the communication monitoring module pushes <192.168.1.1, 192.168.1.2, 192.168.1.3> to the password management module, and then enters the passwords corresponding to these IPs on the password management module to form smart large-screen IP address-password list pairs, namely < (192.168.1.1, xxxxxx), (192.168.1.2, xxxxxx), (192.168.1.3, xxxxxx) >.
Assuming that a smart large screen (with an IP address of 192.168.1.4) is not found by the communication monitoring module at this time, the password management module can enter the IP and the password of the smart large screen and add the IP and the password into the list pair; and the intelligent large screen 192.168.1.4 is pushed to the communication monitoring module, and the communication monitoring module perfects an IP list of the intelligent large screen, namely: <192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4 >.
S3, the flow monitoring module monitors the message sent to the intelligent large screen by the message publishing platform.
And S4, the flow monitoring module analyzes the message acquired in S3 in real time according to the data format of the message publishing information sent to the intelligent large screen by the message publishing platform to obtain the display information carried in the message publishing information.
Illustratively, the traffic monitoring module monitors traffic information sent to the smart large screen and filters out message distribution information.
Taking the scenario shown in fig. 2 as an example, it may be identified that, of the monitored communication traffic, the destination IP address is <192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4> communication traffic (i.e., the first type communication traffic), and further filter the message distribution information (i.e., the target communication traffic) from the first type communication traffic according to the preset data format of the message distribution information.
For example, the traffic monitoring module may also analyze, in real time, communication traffic sent to the smart large screen by the non-message publishing platform in a preset data format of the message publishing information.
For example, if the identified message distribution information is plaintext information, the display information may be directly extracted according to an extraction rule; if the monitored message release information is ciphertext information, the password corresponding to the intelligent large screen can be acquired from the password management module, then decryption operation is carried out, the plaintext of the message release information is acquired, and then the display information is extracted.
And S5, judging the display information analyzed in the S4, and judging whether the display information is malicious information.
S6, if the display information is determined to be malicious information in S5, determining a source IP address (denoted as IP 1) and a destination IP address (denoted as IP 2) corresponding to the display information, sending the IP2 to the password management module, obtaining a password corresponding to the IP2 by the password management module according to the < IP, password > pair recorded in the S2 process, then sending a piece of white information to the smart large screen corresponding to the IP2 through the information simulation publishing module, and recording the corresponding relation between the IP2 and the white information, such as < IP2, white information >, so as to facilitate subsequent examination.
S7, after confirming that the information displayed on the intelligent large screen of the IP2 is white information, the password management module modifies the password of the intelligent large screen corresponding to the IP2 and records the password of the intelligent large screen corresponding to the new IP 2; avoid the big screen of wisdom to be attacked by the secondary.
And S8, after determining the IP1 and the IP2 in the step S6, the device blocking module blocks the communication connection between the IP1 and the IP2, blocks the newly initiated communication connection of the intelligent large screen corresponding to the IP2, and prevents the intelligent large screen from further blasting attack.
For example, assuming that the traffic monitoring module monitors that the display information sent to the smart large screen with the IP address of 192.168.1.1 is malicious information, at this time, the traffic monitoring module transfers 192.168.1.1 to the password management module, and the password management module sets the display information of the smart large screen with the IP address of 192.168.1.1 as white information by calling the information simulation issuing module.
In addition, the password management module can modify the password of the intelligent large screen into a new password in time; the device blocking module disconnects other devices from the 192.168.1.1 TCP by sending blocking packets.
For example, if the traffic monitoring module monitors that the source device which issues malicious information to the smart large screen with the IP address of 192.168.1.1 is a message issuing platform, that is, the source IP address is 192.168.1.8, it may be determined that the message issuing platform sends the malicious information to the smart large screen, so as to further determine that the message issuing platform is attacked, and at this time, the device blocking module is notified to block the connection between the message issuing platform and all the smart large screens in time, that is, all the communication connections between <192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4> and 192.168.1.8 are blocked.
For example, if the IP address of the source device that the traffic monitoring module monitors to issue malicious information to the smart large screen with the IP address of 192.168.1.1 is not 192.168.1.8, it may be determined that the device information is maliciously tampered by a malicious tamperer.
The methods provided herein are described above. The following describes the apparatus provided in the present application:
referring to fig. 4, a schematic structural diagram of an intelligent large-screen display information malicious tampering prevention device according to an embodiment of the present disclosure is shown in fig. 4, where the intelligent large-screen display information malicious tampering prevention device may include:
the monitoring unit 410 is used for monitoring the communication traffic on the link between the intelligent large screen and the message publishing platform in a bypass monitoring mode;
an identifying unit 420, configured to perform traffic analysis on the monitored communication traffic, and identify a target communication traffic in the monitored communication traffic; the target communication flow is information to be issued sent to the intelligent large screen;
a determining unit 430, configured to analyze the target communication traffic, and determine whether display information in the target communication traffic is malicious information;
the protection unit 440 is configured to, when it is determined that the display information in the first target communication traffic is malicious information, set the display information of the first smart large screen to white information according to the recorded password of the first smart large screen; the first target communication traffic is the target communication traffic sent to the first smart large screen.
In some embodiments, the identifying unit 420 identifies a target communication traffic among the monitored communication traffic, including:
according to the recorded address information of the intelligent large screen, determining the communication flow of which the destination address is matched with the address information of the intelligent large screen in the monitored communication flow as a first type communication flow;
and determining the first type communication traffic of which the data format is matched with the data format of the preset message release information in the first type communication traffic as the target communication traffic according to the data format of the preset message release information.
In some embodiments, the determining unit 430 parses the target communication traffic to determine whether display information in the target communication traffic is malicious information, including:
when the target communication flow is plaintext information, extracting display information in the target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information;
and when the target communication flow is ciphertext information, decrypting the target communication flow according to the recorded password of the intelligent large screen, extracting display information in the decrypted target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information.
In some embodiments, the protection unit 440 is further configured to block a communication connection between the first smart large screen and another device, where the another device is a device other than the protection device, of the devices that have a communication connection with the first smart large screen;
and/or the presence of a gas in the gas,
and updating the password of the first smart large screen.
In some embodiments, the guard unit 440 is further configured to block a communication connection between the message publishing platform and the smart screen when the source device of the first target communication traffic is the message publishing platform.
In some embodiments, before the identifying unit 420 performs traffic analysis on the monitored communication traffic and identifies a target communication traffic in the monitored communication traffic, the method further includes:
identifying and recording address information of the intelligent large screen and address information of the message publishing platform;
and recording the corresponding relation between the address information and the password of each intelligent large screen according to the address information of the intelligent large screen and the acquired password of each intelligent large screen.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present disclosure. The electronic device may comprise a processor 501, a machine readable storage medium 502 storing a computer program. The processor 501 and the machine-readable storage medium 502 may communicate via a system bus 503. Moreover, the processor 501 may execute any of the above described malicious tampering prevention methods for smart large screen display information by reading and executing a computer program corresponding to the malicious tampering prevention logic for smart large screen display information in the machine-readable storage medium 502.
The machine-readable storage medium 502 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
In some embodiments, there is also provided a machine-readable storage medium having stored therein a computer program which, when executed by a processor, implements the above-described intelligent large screen display information malicious tamper protection method. For example, the machine-readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and so forth.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. An intelligent large-screen display information malicious tampering protection method is applied to protection equipment and is characterized by comprising the following steps:
monitoring communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode;
carrying out flow analysis on the monitored communication flow, and identifying a target communication flow in the monitored communication flow; the target communication flow is information to be issued sent to the intelligent large screen;
analyzing the target communication flow, and determining whether display information in the target communication flow is malicious information;
when the display information in the first target communication flow is determined to be malicious information, setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen; the first target communication traffic is the target communication traffic sent to the first smart large screen.
2. The method of claim 1, wherein the identifying the target one of the overheard communication traffic comprises:
according to the recorded address information of the intelligent large screen, determining the communication flow of which the destination address is matched with the address information of the intelligent large screen in the monitored communication flow as a first type communication flow;
and determining the first type communication traffic of which the data format is matched with the data format of the preset message release information in the first type communication traffic as the target communication traffic according to the data format of the preset message release information.
3. The method of claim 1, wherein the parsing the target communication traffic to determine whether the display information in the target communication traffic is malicious information comprises:
when the target communication flow is plaintext information, extracting display information in the target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information;
and when the target communication flow is ciphertext information, decrypting the target communication flow according to the recorded password of the intelligent large screen, extracting display information in the decrypted target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information.
4. The method of claim 1, wherein when it is determined that the displayed information in the first target communication traffic is malicious information, the method further comprises:
blocking communication connection between the first intelligent large screen and other equipment, wherein the other equipment is equipment except the protective equipment in the equipment which is in communication connection with the first intelligent large screen;
and/or the presence of a gas in the gas,
and updating the password of the first smart large screen.
5. The method of claim 1, wherein when it is determined that the displayed information in the first target communication traffic is malicious information, the method further comprises:
and when the source equipment of the first target communication flow is the message publishing platform, blocking the communication connection between the message publishing platform and the intelligent large screen.
6. The method of any of claims 1-5, wherein prior to performing traffic analysis on the overheard communication traffic to identify a target communication traffic of the overheard communication traffic, the method further comprises:
identifying and recording address information of the intelligent large screen and address information of the message publishing platform;
and recording the corresponding relation between the address information and the password of each intelligent large screen according to the address information of the intelligent large screen and the acquired password of each intelligent large screen.
7. The utility model provides an wisdom large screen display information maliciously tampers with protection device which characterized in that includes:
the monitoring unit is used for monitoring the communication traffic on a link between the intelligent large screen and the message publishing platform in a bypass monitoring mode;
the identification unit is used for carrying out flow analysis on the monitored communication flow and identifying target communication flow in the monitored communication flow; the target communication flow is information to be issued sent to the intelligent large screen;
the determining unit is used for analyzing the target communication flow and determining whether display information in the target communication flow is malicious information;
the protection unit is used for setting the display information of the first intelligent large screen as white information according to the recorded password of the first intelligent large screen when the display information in the first target communication flow is determined to be malicious information; the first target communication traffic is the target communication traffic sent to the first smart large screen.
8. The apparatus of claim 7, wherein the identifying unit identifies a target communication traffic among the monitored communication traffic, comprising:
according to the recorded address information of the intelligent large screen, determining the communication flow of which the destination address is matched with the address information of the intelligent large screen in the monitored communication flow as a first type communication flow;
and determining the first type communication traffic of which the data format is matched with the data format of the preset message release information in the first type communication traffic as the target communication traffic according to the data format of the preset message release information.
9. The apparatus according to claim 7, wherein the determining unit analyzes the target communication traffic to determine whether display information in the target communication traffic is malicious information, and includes:
when the target communication flow is plaintext information, extracting display information in the target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information;
and when the target communication flow is ciphertext information, decrypting the target communication flow according to the recorded password of the intelligent large screen, extracting display information in the decrypted target communication flow according to a preset data format of message release information, and determining whether the display information is malicious information.
10. The apparatus of claim 7,
the protection unit is further used for blocking communication connection between the first intelligent large screen and other equipment, and the other equipment is equipment except the protection equipment in the equipment which is in communication connection with the first intelligent large screen;
and/or the presence of a gas in the gas,
and updating the password of the first smart large screen.
11. The apparatus of claim 7,
the protection unit is further configured to block communication connection between the message publishing platform and the smart large screen when the source device of the first target communication traffic is the message publishing platform.
12. The apparatus according to any one of claims 7-11, wherein the identifying unit performs traffic analysis on the monitored communication traffic, and further comprises, before identifying a target communication traffic in the monitored communication traffic:
identifying and recording address information of the intelligent large screen and address information of the message publishing platform;
and recording the corresponding relation between the address information and the password of each intelligent large screen according to the address information of the intelligent large screen and the acquired password of each intelligent large screen.
CN202111212042.8A 2021-10-18 2021-10-18 Method and device for preventing malicious tampering of intelligent large-screen display information Active CN113660291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111212042.8A CN113660291B (en) 2021-10-18 2021-10-18 Method and device for preventing malicious tampering of intelligent large-screen display information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111212042.8A CN113660291B (en) 2021-10-18 2021-10-18 Method and device for preventing malicious tampering of intelligent large-screen display information

Publications (2)

Publication Number Publication Date
CN113660291A true CN113660291A (en) 2021-11-16
CN113660291B CN113660291B (en) 2022-03-01

Family

ID=78484216

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111212042.8A Active CN113660291B (en) 2021-10-18 2021-10-18 Method and device for preventing malicious tampering of intelligent large-screen display information

Country Status (1)

Country Link
CN (1) CN113660291B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118101996A (en) * 2024-04-23 2024-05-28 无锡路通视信网络股份有限公司 Universal large-screen content release system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN206260037U (en) * 2016-08-29 2017-06-16 山东大境电子技术有限公司 Security protection large-size screen monitors monitoring system
CN107579995A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 The network protection method and device of onboard system
CN110719271A (en) * 2019-09-26 2020-01-21 杭州安恒信息技术股份有限公司 Combined defense method for bypass flow detection equipment and terminal protection equipment
CN110933049A (en) * 2019-11-16 2020-03-27 杭州安恒信息技术股份有限公司 Network illegal information monitoring method and system based on video capture
CN111277877A (en) * 2018-11-20 2020-06-12 慧盾信息安全科技(苏州)股份有限公司 Multimedia display large-screen safety protection system and method based on content identification
CN113055409A (en) * 2021-05-31 2021-06-29 杭州海康威视数字技术股份有限公司 Video Internet of things equipment portrait and anomaly detection method, device and system
CN113098846A (en) * 2021-03-17 2021-07-09 苏州三六零智能安全科技有限公司 Industrial control flow monitoring method, equipment, storage medium and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN206260037U (en) * 2016-08-29 2017-06-16 山东大境电子技术有限公司 Security protection large-size screen monitors monitoring system
CN107579995A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 The network protection method and device of onboard system
CN111277877A (en) * 2018-11-20 2020-06-12 慧盾信息安全科技(苏州)股份有限公司 Multimedia display large-screen safety protection system and method based on content identification
CN110719271A (en) * 2019-09-26 2020-01-21 杭州安恒信息技术股份有限公司 Combined defense method for bypass flow detection equipment and terminal protection equipment
CN110933049A (en) * 2019-11-16 2020-03-27 杭州安恒信息技术股份有限公司 Network illegal information monitoring method and system based on video capture
CN113098846A (en) * 2021-03-17 2021-07-09 苏州三六零智能安全科技有限公司 Industrial control flow monitoring method, equipment, storage medium and device
CN113055409A (en) * 2021-05-31 2021-06-29 杭州海康威视数字技术股份有限公司 Video Internet of things equipment portrait and anomaly detection method, device and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118101996A (en) * 2024-04-23 2024-05-28 无锡路通视信网络股份有限公司 Universal large-screen content release system

Also Published As

Publication number Publication date
CN113660291B (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN109525558B (en) Data leakage detection method, system, device and storage medium
CN110324310B (en) Network asset fingerprint identification method, system and equipment
JP6894003B2 (en) Defense against APT attacks
KR101369727B1 (en) Apparatus and method for controlling traffic based on captcha
CN110958262A (en) Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
CN107566381A (en) Equipment safety control method, apparatus and system
US10033761B2 (en) System and method for monitoring falsification of content after detection of unauthorized access
WO2021144859A1 (en) Intrusion path analysis device and intrusion path analysis method
CN111010384A (en) Self-security defense system and security defense method for terminal of Internet of things
CN110138731B (en) Network anti-attack method based on big data
WO2017032287A1 (en) Information acquisition method and device
CN113468075A (en) Security testing method and system for server-side software
CN113411295A (en) Role-based access control situation awareness defense method and system
CN113660291B (en) Method and device for preventing malicious tampering of intelligent large-screen display information
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN108712369A (en) A kind of more attribute constraint access control decision system and method for industrial control network
CN112231679B (en) Terminal equipment verification method and device and storage medium
US10419480B1 (en) System, method, and computer program for real-time cyber intrusion detection and intruder identity analysis
KR101022167B1 (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN116055185A (en) Active network security defense method and system of distributed network information release system
CN113923021A (en) Sandbox-based encrypted flow processing method, system, device and medium
KR100862321B1 (en) Method and apparatus for detecting and blocking network attack without attack signature
CN111680294A (en) Database monitoring method, device and equipment based on high-interaction honeypot technology
KR20090081619A (en) Method and Apparatus for file transference security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant