1. An IoT device intelligent protection method, characterized in that the intelligent protection method comprises:

crawling corresponding vulnerability reports from a plurality of vulnerability libraries by using a crawler technology; a large number of vulnerability reports can be obtained;

the extracted vulnerability reports are subjected to data cleaning, texts which are possibly advertisements or vulnerability reviews and the like and are obviously not vulnerability reports are screened out, then entities in the vulnerability reports are extracted by using a regular expression, an entity checking script is used for checking whether the entities of the vulnerability reports actually exist or not, and further, the remaining vulnerability reports are subjected to second screening;

extracting entities in the vulnerability report by using a regular expression, and checking whether the entities of the vulnerability report really exist or not by using an entity checking script;

extracting parameter information, PoC information and position information of the vulnerability report by using NLP, vulnerability file position extraction, sandbox simulation and PoC information extraction technology so as to generate a vulnerability signature;

automatically generating a defense rule deployed on a firewall based on the generated vulnerability signature; and carrying out protection performance detection by using IoT firmware simulation; to verify that the system generated signature rules are valid and harmless.

2. The IoT device intelligent defense method recited in claim 1, wherein the data cleansing operation comprises:

running a filtering module on a report crawled from a vulnerability library website to filter documents irrelevant to the vulnerability report;

identifying the IoT vulnerability report for the rest documents by using an identifier, and extracting the equipment type, the manufacturer, the model, the CVE number and other key information as vulnerability description; and using entity check, namely using Google to search a set consisting of entities such as equipment types, manufacturers and models, and using a search result as a judgment index for judging whether the entity exists, and if the number of the search results exceeds 52, considering the vulnerability report as an IoT vulnerability report.

3. The IoT device intelligent defense method recited in claim 2, wherein the vulnerability report independent documents comprise: documents containing more than 95% dictionary words, documents with more than 25 hyperlinks, documents with more than 5 CVE numbers.

4. The IoT device smart defense method recited in claim 1, wherein the defense rule generation comprises:

according to the IoT vulnerability report meeting the conditions, static text analysis or dynamic script analysis is carried out to generate vulnerability signatures, and the vulnerability signatures are classified and filtering rules automatically deployed on the firewall are generated;

and meanwhile, automatically updating the data according to day units and automatically generating firewall filtering rules according to the standard report.

5. The IoT device intelligent defense method recited in claim 1, wherein the automatic defense rule generation based on the extracted vulnerability information and classification results comprises:

clustering IoT vulnerability reports describing the same IoT vulnerability based on extracted vulnerability type data including equipment types, suppliers, product names and other vulnerability information and obtained by classification, giving each cluster, extracting vulnerability semantics and other structured information from the vulnerability reports, and generating vulnerability signatures.

6. The IoT device intelligent defense method in accordance with claim 5, wherein the extracting vulnerability semantics and other structured information from the vulnerability report, the generating vulnerability-specific feature codes with an attack plane further comprises:

extracting parameter information, PoC information and position information of the vulnerability report by using NLP, position extraction of the vulnerability file, sandbox simulation and PoC information extraction, and forming a signature by using related parameter groups; IoT Guardian automatically translates signatures into a canonical-based protection rule in existing common firewalls.

7. A program storage medium that receives user input, the stored computer program causing an electronic device to perform the IoT device smart defense method recited in any of claims 1-6, comprising:

crawling corresponding vulnerability reports from a plurality of vulnerability libraries by using a crawler technology; a large number of vulnerability reports can be obtained;

and step two, performing data cleaning on the extracted vulnerability reports to screen out texts which are possibly advertisements or vulnerability reviews and are obviously not vulnerability reports, then extracting entities in the vulnerability reports by using a regular expression, using an entity checking script to check whether the entities of the vulnerability reports exist really or not, and further performing a second round of screening on the remaining vulnerability reports.

Extracting entities in the vulnerability report by using a regular expression, and checking whether the entities of the vulnerability report really exist by using an entity checking script;

extracting parameter information, PoC information and vulnerability file position information of a vulnerability report by using NLP, vulnerability file position extraction, sandbox simulation and PoC information extraction technology so as to generate a vulnerability signature;

step five, automatically generating a defense rule based on the vulnerability signature generated in the step four; and carrying out protection performance detection by using IoT firmware simulation; to verify that the system generated signature rules are valid and harmless.

8. A computer program product stored on a computer-readable medium, comprising a computer-readable program that, when executed on an electronic device, provides a user input interface to implement the IoT device smart defense method recited in any of claims 1-6.

9. An IoT device intelligent defense system that performs the IoT device intelligent defense method recited in any of claims 1-6, the IoT device intelligent defense system comprising:

the vulnerability report automatic acquisition module based on the web crawler is used for extracting vulnerability reports from the Internet;

based on a regular and dictionary base matched data cleaning module, extracting vulnerability information of the vulnerability report by using an IoT vulnerability extractor, and performing detailed classification on the vulnerability report by adopting a multi-dimensional report processing mode;

the signature generation module is based on NLP, sandbox simulation and static text analysis and is used for generating a unique vulnerability signature which is a vulnerability;

and the performance detection module is used for generating a protection rule which can be directly deployed on a firewall aiming at the vulnerability signature and detecting the performance aiming at the generated protection rule.

10. An IoT device, wherein the IoT device is configured to implement the IoT device smart safeguard method recited in any one of claims 1-6.

Background

At present: internet of things (IoT) -based cyber attacks have emerged in recent years. Most of these attacks are made against devices that have vulnerabilities, using known IoT device vulnerabilities.

And (5) vulnerability life cycle of the Internet of things. Typically, the vulnerability of the IoT device is one in its firmware that enables an attacker to bypass deployed security measures. Such vulnerabilities have different life cycles characterized by discovery, disclosure, exploitation, and repair. When a vendor, hacker or third party security researcher discovers a vulnerability, the vulnerability is considered to be discovered. The security risk becomes particularly high if first discovered by a hacker. The next phase is to disclose the vulnerability publicly by the person who discovered the vulnerability and should be done through a coordinated process in which the vulnerability information is kept secret, allowing the vendor to create patches. However, this procedure is not always followed. Actual real-world leaks may occur in different ways through sources on the internet, including personal blogs, public forums, and secure mailing lists. Once publicly disclosed, any one person can obtain information about the vulnerability for free. Thus, as the hacker community actively develops and publishes the 0Day attack, the security risk level further increases. Approximately 80% of IoT vulnerability reports are published with available methods that are easily exploited by hackers. Worse yet, the vendor may not provide any security updates or patches in response to the leak, even if the vendor can do so. Furthermore, even if a patch is available, many users of the affected IoT devices do not do so because updating the firmware patch is too complicated. The lifecycle of an IoT vulnerability ends when all IoT users install a patcher to fix the vulnerability. However, even if one IoT device has a serious security breach and the vendor releases the patch, some users have no ability to update the patch in a timely manner due to limited knowledge. Some IoT vulnerabilities have a life span of more than five years during which these issues can be exploited at any time.

Signatures may be used to describe a particular attack on a vulnerability or to model the vulnerability itself. The latter provides full protection against all relevant attacks at the vulnerability location, referred to as vulnerability-specific signatures. Such signatures are typically created by manually analyzing vulnerabilities. However, the invention finds that signatures can be automatically generated for vulnerability reports published in large vulnerability databases through NLP technology, text analysis technology and sandbox simulation technology.

Through the above analysis, the problems and defects of the prior art are as follows: the safety of the existing protection method is not high. At present, most supplier manufacturers only analyze and patch a single vulnerability on a single device, and do not widely apply to protection of other devices or IoT devices of manufacturers aiming at a device vulnerability, and we can consider that the current vulnerability protection environment lacks vulnerability protection summary on all types of IoT devices.

The difficulty in solving the above problems and defects is: although there has been research work on IoT device vulnerability analysis in recent years both at home and abroad, the research is only directed to a type of vulnerability of a certain device type or firmware type, and there is very little collection of vulnerabilities and protection rules thereof that are specific to all devices under mainstream relevant vendors. The main problems that the problems are difficult to realize at present are that on one hand, a large amount of IoT device related vulnerability description texts cannot be completely collected and accurately analyzed, and on the other hand, vulnerability key information cannot be accurately and efficiently extracted aiming at the vulnerability related texts, and the vulnerability key information is deployed on a firewall for protection.

The significance of solving the problems and the defects is as follows: the system not only effectively prevents vulnerability attacks aiming at the IoT equipment, but also provides a new idea of equipment security test and development for IoT equipment manufacturers, and has important significance for the subsequent IoT rule protection research.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides an intelligent protection method and system for IoT equipment.

The invention realizes an intelligent protection system aiming at IoT equipment, which comprises:

the vulnerability report automatic acquisition module based on the web crawler is used for extracting vulnerability reports from the Internet;

based on a regular and dictionary base matched data cleaning module, extracting vulnerability information of the vulnerability report by using an IoT vulnerability extractor, and performing detailed classification on the vulnerability report by adopting a multi-dimensional report processing mode;

and the signature generation module based on NLP, sandbox simulation, static text analysis and the like is used for generating a unique vulnerability signature which is a vulnerability.

And the performance detection module is used for generating a protection rule which can be directly deployed on a firewall according to the vulnerability signature and detecting the performance according to the generated protection calyx.

Another object of the present invention is to provide an IoT device intelligent defense method applying the intelligent defense system, where the IoT device intelligent defense method includes:

crawling corresponding vulnerability reports from a plurality of vulnerability libraries by using a crawler technology; a large number of vulnerability reports can be obtained;

and step two, performing data cleaning on the extracted vulnerability reports to screen out texts which are possibly advertisements or vulnerability reviews and are obviously not vulnerability reports, then extracting entities in the vulnerability reports by using a regular expression, using an entity checking script to check whether the entities of the vulnerability reports exist really or not, and further performing a second round of screening on the remaining vulnerability reports.

Extracting entities in the vulnerability report by using a regular expression, and checking whether the entities of the vulnerability report really exist by using an entity checking script;

extracting parameter information, PoC information and vulnerability file position information of a vulnerability report by using NLP, vulnerability file position extraction, sandbox simulation and PoC information extraction technology so as to generate a vulnerability signature;

step five, automatically generating a defense rule based on the vulnerability signature generated in the step four; and carrying out protection performance detection by using IoT firmware simulation; to verify that the system generated signature rules are valid and harmless.

Further, in step two, the data cleansing operation includes:

running a filtering module on a report crawled from a vulnerability library website to filter documents irrelevant to the vulnerability report; the documents unrelated to the vulnerability report include, but are not limited to: documents containing more than 95% dictionary words, documents with more than 25 hyperlinks, documents with more than 5 CVE numbers. The rest of the documents are identified with the IoT vulnerability report using the identifier and the device type, vendor, model, CVE number and other key information are extracted as the vulnerability description. And using entity check, namely using Google to search a set consisting of entities such as equipment types, manufacturers and models, and using a search result as a judgment index for judging whether the entity exists, and if the number of the search results exceeds 52, considering the vulnerability report as an IoT vulnerability report.

Further, in step five, the defensive rule generating comprises:

according to the IoT vulnerability report meeting the conditions, static text analysis or dynamic script analysis is carried out to generate vulnerability signatures, and the vulnerability signatures are classified and filtering rules automatically deployed on the firewall are generated;

and meanwhile, automatically updating the data according to day units and automatically generating firewall filtering rules according to the standard report.

Further, the automatic defense rule generation includes:

clustering IoT vulnerability reports describing the same IoT vulnerability based on extracted vulnerability type data including equipment types, suppliers, product names and other vulnerability information and obtained by classification, giving each cluster, extracting vulnerability semantics and other structured information from the vulnerability reports, and generating vulnerability signatures.

Further, the extracting vulnerability semantics and other structured information from the vulnerability report and generating vulnerability-specific feature codes by using the attack surface further includes:

extracting parameter information, PoC information and position information of the vulnerability report by using NLP, position extraction of the vulnerability file, sandbox simulation and PoC information extraction, and forming a signature by using related parameter groups; the IoT Guardian automatically converts the signature into a regular-based protection rule in the existing common firewall;

IoT Guardian automatically translates signatures into a canonical-based protection rule in existing common firewalls.

By combining all the technical schemes, the invention has the advantages and positive effects that: aiming at the mainstream IoT products in the market, the invention realizes automatic vulnerability detection and intercepts various attacks. According to the method, the vulnerability report is obtained through the crawler, the keyword is matched with the cleaning report, the report is analyzed in all aspects, the signature is generated by content splicing, the firewall of the equipment is automatically deployed, 1day and Nday vulnerability attacks are intercepted while normal work of the equipment is not influenced, and meanwhile the vulnerability report can be automatically analyzed and the attack interception signature can be generated. The invention realizes automatic operation, has a client form, a simple interface and simple and convenient operation, and is convenient for users to use independently.

The invention can be deployed on the existing intrusion detection system or web application firewall to detect the utilization attempt on the target internet of things device, thereby obviously improving the threshold of success of future IoT attack.

Drawings

Fig. 1 is a schematic diagram of an intelligent protection system according to an embodiment of the present invention.

FIG. 2 is a schematic structural diagram of an intelligent protection system provided in an embodiment of the present invention;

in the figure: 1. the vulnerability report automatic acquisition module is based on the web crawler; 2. an automatic screening module based on regular dictionary base matching; 3. a rule generation module based on NLP and text clustering; 4. and a performance detection module.

Fig. 3 is a schematic diagram of an IoT device intelligent defense method according to an embodiment of the present invention.

Fig. 4 is a flowchart of an IoT device intelligent defense method according to an embodiment of the present invention.

FIG. 5 is a block diagram of an emulated firmware framework architecture according to an embodiment of the invention.

Fig. 6 is a schematic diagram of a VeryNginx operation flow provided by an embodiment of the present invention.

Fig. 7 is a schematic configuration diagram of fig. json of VeryNginx according to an embodiment of the present invention.

Fig. 8 is a schematic diagram of a signature rule and a filtering rule of a firewall according to an embodiment of the present invention.

Fig. 9 is a schematic diagram of a script operation invalidation according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

In view of the problems in the prior art, the present invention provides an intelligent protection method and system for IoT devices, and the following describes the present invention in detail with reference to the accompanying drawings.

As shown in fig. 1-2, an IoT device intelligent defense system provided in an embodiment of the present invention includes:

the vulnerability report automatic acquisition module 1 based on the web crawler is used for extracting vulnerability reports from the Internet;

the data cleaning module 2 is used for extracting vulnerability information by using an IoT vulnerability extractor based on the extracted vulnerability reports and performing detailed classification on the vulnerability reports in a multi-dimensional report processing mode;

the signature generation module 3 is used for generating automatic defense rules based on the extracted vulnerability information and classification results;

and the performance detection module 4 is used for detecting the protection performance.

As shown in fig. 3 to fig. 4, an IoT device intelligent defense method provided in an embodiment of the present invention includes:

s101, crawling corresponding vulnerability reports from a plurality of vulnerability libraries by using a crawler technology; a large number of vulnerability reports can be obtained;

s102, the extracted vulnerability reports are subjected to data cleaning, texts which are possibly advertisements or vulnerability reviews and are not obvious vulnerability reports are screened out, then entities in the vulnerability reports are extracted through regular expressions, an entity checking script is used for checking whether the entities of the vulnerability reports exist really or not, and further, the remaining vulnerability reports are subjected to second screening.

S103, extracting entities in the vulnerability report by using a regular expression, and checking whether the entities of the vulnerability report really exist by using an entity checking script;

s104, extracting parameter information, PoC information and vulnerability file position information of a vulnerability report by using NLP, vulnerability file position extraction, sandbox simulation and PoC information extraction technology, and further generating a vulnerability signature;

s105, automatically generating a defense rule based on the vulnerability signature generated in the S104; and carrying out protection performance detection by using IoT firmware simulation; to verify that the system generated signature rules are valid and harmless.

The extraction-based vulnerability report utilizes an IoT vulnerability extractor to extract vulnerability information, which comprises the following steps:

crawling vulnerability reports in a large-scale vulnerability library website through a crawler technology, and further operating a filtering module on the crawled reports to filter vulnerability reports which do not meet the specifications or documents which are irrelevant to vulnerabilities;

and identifying and screening out the rest documents by using the recognizer to obtain an IoT vulnerability report, and extracting the equipment type, the manufacturer, the model, the CVE number, the author and the release date and other key information as vulnerability description.

The documents provided by the embodiment of the invention are irrelevant to the vulnerability report and include but are not limited to the following characteristics: documents containing more than 95% dictionary words, documents with more than 25 hyperlinks, documents with more than 5 CVE numbers.

The defense rule generation provided by the embodiment of the invention comprises the following steps:

performing text analysis according to the eligible IoT vulnerability report to generate a signature containing vulnerability key information, converting the signature into a filtering rule which can be deployed on a firewall, and automatically deploying the filtering rule on the firewall;

and meanwhile, automatically updating the data according to day units and automatically generating firewall filtering rules according to the standard report.

The technical effects of the present invention will be described in detail with reference to experiments.

In order to verify the effectiveness of signature blocking vulnerability attacks, the invention adopts the mode of simulating equipment firmware on a virtual machine and installs a firewall.

Because the firmware of the IoT device is mostly developed based on the UNIX kernel, the present invention can deploy the emulated device firmware that is already open source on the virtual machine to perform the rule signature verification work of the present invention. The invention uses ARM-X integrated framework to realize the work of simulating the equipment firmware. The ARM-X firmware emulation framework is a collection of scripts, kernels, and file systems for emulating, with QEMU, an ARM/Linux Internet of things device. It is intended to facilitate internet of things research by virtualizing as many physical devices as possible. The virtual machine closest to the real Internet of things can be obtained by the method. And so far this framework has enabled 9 different devices.

Briefly, the present invention deploys an ARM-X framework in a virtual machine, and the ARM framework deploys a simulated device virtual machine in the virtual machine, and the framework and the device have different virtual machine IP addresses, so that the detailed process flow can be divided as shown in fig. 5.

The device simulation firmware obtained by ARM-X is completely similar to a standard UNIX system, and the invention takes Tenda AC15 Wi-Fi router as an example

After the virtual device is deployed, the firewall needs to be deployed on the simulation device, and the virtual device is deployed on the virtual device by using the open-source VeryNginx firewall. VeryNginx was developed based on lua _ nginx _ module (openretry), and implements advanced firewall, access statistics, and other functions. The integration runs in Nginx, the functions of Nginx are expanded, and a friendly Web interactive interface is provided.

VeryNginx's custom behavior consists of two major components, Matcher and Action. A mather may contain one or more constraints, which currently support the following: client IP, Host, user, URI, Referer, Request arms, basically contain the fields used by the present IoT attack Request. When a request does not violate all the conditions contained in the mather, the mather is hit, i.e., the attack request is captured. Each Action references a Matcher, and when a Matcher hits, the Action is executed. An example thereof is shown in fig. 6.

In summary, the validation and subsequent automatic rule deployment work of the present invention is primarily around the creation of the mather and action. The VeryNginx firewall filtering rule is deployed and updated by setting or rewriting a config.

Formats of the mather and action in the configuration file config.json of the VeryNginx firewall are shown in FIG. 7, the present invention mainly modifies parameters of several mather keys, such as Arg, header, cookie, uri, host, user _ agent, repeater, ip and method, and the configuration of the action is stored in the filter _ rules key in config.json, wherein the present invention modifies parameters of enable, custom _ response, code, mather and action.

The verification work of the invention is mainly operated through the configuration of a webpage end, and the verification work of the invention is operated through changing a config. The invention takes the instruction injection vulnerability on the Tenda AC15 Wi-Fi router as an example to explain the part.

Firstly, the invention uses the script provided by the bug report to inject a command 'touch integrated _ cert' into the simulation router device deployed in ARM-X, and writes an integrated _ cert file into a file system of the router, so that the file system of the router can successfully generate an integrated _ cert file to indicate that the injection is successful.

Then, the invention opens the VeryNginx firewall, and configures the mather and action according to the rule of the vulnerability generation, as shown in FIG. 8, so that the protection wall can prevent the attack of the script. Then the invention makes the script inject the command "touch inserted _ cert" into the simulation router, it can be seen that the script report is as shown in fig. 9, and the file system does not present the file, so the invention can successfully verify that the signature is valid.

The verification work not only shows that the signature rule generated by report extraction is deployed to a firewall to effectively filter attacks, but also proves that the product can defend against comprehensive vulnerability attacks.

It should be noted that embodiments of the present invention can be implemented in software or a combination of software and hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. Because the invention reserves the complete vulnerability attack path and parameters, the protection function can be realized through the verynginx in the embodiment, and the invention can be easily deployed on various firewalls or gateway systems.

The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.