CN106656984B - Safety operation control method, system and its equipment of equipment in local area network - Google Patents
Safety operation control method, system and its equipment of equipment in local area network Download PDFInfo
- Publication number
- CN106656984B CN106656984B CN201610934255.4A CN201610934255A CN106656984B CN 106656984 B CN106656984 B CN 106656984B CN 201610934255 A CN201610934255 A CN 201610934255A CN 106656984 B CN106656984 B CN 106656984B
- Authority
- CN
- China
- Prior art keywords
- security level
- equipment
- level mode
- area network
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000002452 interceptive effect Effects 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 2
- 230000003993 interaction Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000013475 authorization Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011982 device technology Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses safety operation control method, system and its equipment of equipment in a kind of local area network, wherein method include: the first equipment in local area network with the first security level mode operation during, detect whether by rogue attacks;If detecting, the first equipment by rogue attacks, carries out key agreement with server and obtains the first authority keys, the interactive information between the first equipment and server to be encrypted using the first authority keys;Other equipment into local area network send the broadcast message of the second security level mode operation, wherein, the security level of second security level mode is higher than the first security level mode, to be switched to the second security level mode in local area network with the equipment of the first security level mode operation.The method achieve the interactivities of the equipment in local area network can effectively remind other equipment when an equipment is attacked, and improve the security protection efficiency of equipment in local area network.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, a system, and a device for security control of a device in a local area network.
Background
With the development of internet technology, in many application scenarios, terminal devices can communicate in a local area network, for example, in an intelligent home application scenario, devices such as a home air conditioner can communicate with a related server in the home local area network.
However, in recent years, security events of smart devices are frequently generated, for example, a smart car is invaded by a program, so that an attacker can remotely control the car, for example, remotely control the unlocking, whistling, flashing lights and the like of the car. Therefore, how to improve the security protection efficiency of the devices in the lan becomes an urgent problem to be solved.
Disclosure of Invention
The object of the present invention is to solve at least to some extent one of the above mentioned technical problems.
Therefore, a first object of the present invention is to provide a method for safely operating and controlling devices in a local area network, which achieves interactivity of devices in the local area network, and when one device is attacked, can effectively remind other devices, thereby improving the safety protection efficiency of the devices in the local area network.
The second purpose of the invention is to propose another method for safely operating and controlling the devices in the local area network.
The third purpose of the present invention is to provide another method for safely operating and controlling devices in a local area network.
A fourth object of the present invention is to provide a terminal device.
A fifth object of the invention is to propose another terminal device.
A sixth object of the present invention is to propose a terminal control device.
A seventh object of the present invention is to provide a system for safely operating devices in a lan.
In order to achieve the above object, an embodiment of a first aspect of the present invention provides a method for safely operating and controlling devices in a local area network, including the following steps:
detecting whether the first equipment in the local area network is attacked illegally in the process of running in a first security level mode;
if the first equipment is detected to be attacked illegally, performing key negotiation with a server to obtain a first authority key so as to encrypt interactive information between the first equipment and the server by applying the first authority key;
and sending a broadcast message of a second security level mode operation to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode, so that the devices in the local area network operating in the first security level mode are switched to the second security level mode.
The method for safely controlling the devices in the local area network detects whether the first device in the local area network is illegally attacked or not in the process of running in the first safety level mode, if the first device is detected to be illegally attacked, the first device and a server perform key negotiation to obtain a first authority key, interactive information between the first device and the server is encrypted by applying the first authority key, and a broadcast message of running in a second safety level mode is sent to other devices in the local area network, wherein the safety level of the second safety level mode is higher than that of the first safety level mode, so that the devices running in the first safety level mode in the local area network are switched to the second safety level mode. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
In addition, the method for safely controlling the devices in the local area network according to the embodiment of the present invention further has the following additional technical features:
in an embodiment of the present invention, the detecting whether the attack is illegal includes:
acquiring the number of target data packets in preset time;
and if the number of the target data packets meets a preset condition, detecting and knowing that the first equipment is attacked illegally.
In one embodiment of the present invention, the target number of packets includes: inquiring the data packet or controlling the data packet;
if the number of the target data packets meets a preset condition, detecting and knowing that the first device is attacked illegally, wherein the detecting and knowing includes:
if the number of the query data packets is larger than a preset first threshold value, detecting and knowing that the first equipment is attacked illegally; or,
and if the number of the control data packets is larger than a preset second threshold value, detecting and knowing that the first equipment is attacked illegally.
In order to achieve the above object, an embodiment of a second aspect of the present invention provides another method for safely operating and controlling devices in a local area network, including the following steps:
receiving a broadcast message which is transmitted by first equipment and runs in a second security level mode by second equipment in a local area network, wherein the security level of the second security level mode is higher than that of the first security level mode;
and if the second equipment operates in the first security level mode currently, performing key negotiation with a server to obtain a second authority key so as to encrypt the interactive information between the second equipment and the server by applying the second authority key. According to the security control method for the devices in the local area network, the second device in the local area network receives the broadcast message which is sent by the first device and runs in the second security level mode, wherein the security level of the second security level mode is higher than that of the first security level mode, if the second device runs in the first security level mode currently, key negotiation is carried out with the server to obtain the second authority key, and the second authority key is used for encrypting the interactive information between the second device and the server. Therefore, the interactivity of the equipment in the local area network is realized, when one piece of equipment is attacked, other pieces of equipment can improve the security level mode through the broadcast message of the attacked equipment, and the security protection efficiency of the equipment in the local area network is improved.
In order to achieve the above object, an embodiment of a third aspect of the present invention provides a method for safely operating devices in a local area network, including the following steps:
receiving a broadcast message which is sent by first equipment and runs in a second security level mode by terminal control equipment in a local area network, wherein the security level of the second security level mode is higher than that of the first security level mode;
analyzing the identification information of the first equipment from the broadcast message, and sending a token query request carrying the identification information to a server;
receiving a token corresponding to the identification information fed back by the server;
and performing key agreement with the first device according to the token to obtain a third authority key so as to apply the third authority key to encrypt the interactive information between the first device and the terminal control device.
The terminal control device in the local area network receives a broadcast message sent by a first device and running in a second security level mode, wherein the security level of the second security level mode is higher than that of the first security level mode, analyzes identification information of the first device from the broadcast message, sends a token query request carrying the identification information to a server, receives a token which is fed back by the server and corresponds to the identification information, and obtains a third authority key according to key negotiation between the token and the first device, so that interactive information between the first device and the terminal control device is encrypted by using the third authority key. Therefore, the safety of communication data between the terminal control equipment and the terminal equipment is ensured.
In order to achieve the above object, a fourth aspect of the present invention provides a terminal device, including:
the detection module is used for detecting whether the terminal equipment in the local area network is attacked illegally or not in the process of running in the first security level mode;
the first obtaining module is used for carrying out key negotiation with a server to obtain a first authority key when detecting that the terminal equipment is subjected to illegal attack so as to encrypt interactive information between the first equipment and the server by applying the first authority key;
the first sending module is configured to send a broadcast message of a second security level mode to other devices in the local area network, where a security level of the second security level mode is higher than that of the first security level mode, so that the devices in the local area network operating in the first security level mode are switched to the second security level mode, and then perform communication interaction with the terminal device through the authority key.
The terminal device of the embodiment of the invention detects whether the first device in the local area network is under illegal attack in the process of running in the first security level mode, if the first device is detected to be under illegal attack, the terminal device and the server perform key negotiation to obtain the first authority key, so that the first authority key is applied to encrypt the interactive information between the first device and the server, and broadcast messages of running in the second security level mode are sent to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode, so that the devices running in the first security level mode in the local area network are switched to the second security level mode. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
In addition, the terminal device of the embodiment of the present invention further has the following additional technical features:
in one embodiment of the invention, the detection module comprises:
the first acquisition unit is used for acquiring the number of target data packets within preset time;
and the detection unit is used for detecting and knowing that the first equipment is attacked illegally when the number of the target data packets meets a preset condition.
In one embodiment of the present invention, the target number of packets includes: inquiring the data packet or controlling the data packet;
the detecting unit is configured to, if the number of target packets satisfies a preset condition:
when the number of the query data packets is larger than a preset first threshold value, detecting to acquire that the terminal equipment is attacked illegally; or,
and when the number of the control data packets is larger than a preset second threshold value, detecting to acquire that the terminal equipment is attacked illegally.
In order to achieve the above object, a fifth embodiment of the present invention provides another terminal device, including:
a first receiving module, configured to receive, at a terminal device in a local area network, a broadcast message sent by a first device and running in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode;
and the second obtaining module is used for performing key negotiation with the server to obtain a second authority key when the terminal equipment runs in the first security level mode currently, so as to encrypt the interactive information between the second equipment and the server by applying the second authority key. Acquiring an authority key of the first device;
and the communication module is used for carrying out communication interaction with the first equipment in the second security level mode through the authority key. In the terminal device of the embodiment of the present invention, a second device in a local area network receives a broadcast message sent by a first device and operated in a second security level mode, where the security level of the second security level mode is higher than that of the first security level mode, and if the second device is currently operated in the first security level mode, the second device performs key negotiation with a server to obtain a second authority key, encrypts interaction information between the second device and the server by using the second authority key to obtain the authority key of the first device, and performs communication interaction with the first device in the second security level mode through the authority key. Therefore, the interactivity of the equipment in the local area network is realized, when one piece of equipment is attacked, other pieces of equipment can improve the security level mode through the broadcast message of the attacked equipment, and the security protection efficiency of the equipment in the local area network is improved. In order to achieve the above object, a sixth aspect of the present invention provides a terminal control device, including:
a second receiving module, configured to receive, at a terminal control device in a local area network, a broadcast message sent by a first device and running in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode;
the analysis module is used for analyzing the identification information of the first equipment from the broadcast message;
the second sending module is used for sending a token query request carrying the identification information to a server;
the second receiving module is further configured to receive a token corresponding to the identification information, which is fed back by the server;
and the third obtaining module is used for performing key agreement with the first equipment according to the token to obtain a third authority key so as to apply the third authority key to encrypt the interactive information between the first equipment and the terminal control equipment.
The terminal control device in the local area network receives a broadcast message sent by a first device and running in a second security level mode, wherein the security level of the second security level mode is higher than that of the first security level mode, analyzes identification information of the first device from the broadcast message, sends a token query request carrying the identification information to a server, receives a token fed back by the server and corresponding to the identification information, and obtains a third authority key according to key negotiation between the token and the first device so as to encrypt interactive information between the first device and the terminal control device by using the third authority key. Therefore, the safety of communication data between the terminal control equipment and the terminal equipment is ensured.
In order to achieve the above object, a seventh embodiment of the present invention provides a system for safely operating devices in a local area network, including: the terminal device according to the fourth embodiment of the present invention, the terminal device according to the fifth embodiment of the present invention, the terminal control device according to the sixth embodiment of the present invention, and the server.
The security control system for the devices in the local area network detects whether the first device in the local area network is subjected to illegal attack in the process of running in the first security level mode, if the first device is detected to be subjected to illegal attack, the first device and the server perform key negotiation to obtain a first authority key, interactive information between the first device and the server is encrypted by applying the first authority key, and a broadcast message of running in the second security level mode is sent to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode, so that the devices running in the first security level mode in the local area network are switched to the second security level mode, and the terminal control device performs encryption processing on information interaction between the first devices. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of a method for operating a device in a local area network according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for operating a device in a local area network according to another embodiment of the present invention;
fig. 3 is a flowchart of a security control method for devices in a lan according to still another embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal device according to another embodiment of the present invention;
fig. 6 is a schematic structural diagram of a terminal device according to yet another embodiment of the present invention;
fig. 7 is a schematic structural diagram of a terminal control device according to an embodiment of the present invention; and
fig. 8 is a schematic structural diagram of a security control system of a device in a local area network according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
The following describes a security control method and system for devices in a local area network and devices thereof according to an embodiment of the present invention with reference to the accompanying drawings.
With the increase of intelligent device technology in recent years, intelligent device security events frequently occur. For example, there is a design flaw in the application program for explosion of Tesla Model S vehicle, which causes an attacker to remotely control the vehicle, including performing operations such as unlocking the vehicle, whistling, flashing lights, and opening a sunroof while the vehicle is running. In 2015 for 10 months, a hacker shows a scene that the unmanned plane in Da Jiang is not controlled by remote control after being attacked on a PWN meeting.
Because the use demand of the masses on the intelligent equipment is continuously increased, the attack technology on the intelligent product is continuously strengthened, and the attack technology is rapidly developed, so that the safety of the intelligent product becomes one of the most popular topics from time to time, and the safety protection level directly influences the safety of the equipment, the safety of the user privacy and the like.
Therefore, in order to improve the safety protection efficiency of the devices in the local area network, the invention provides the safety control method of the devices in the local area network, the safety control method of the devices in the local area network can realize the interaction between the devices in the local area network, when one device is attacked, other devices can be effectively reminded, so that the other devices can take corresponding protection measures, and the safety protection efficiency of the devices in the local area network is improved.
For convenience of explanation, the description will first focus on the device side that is first attacked, and the specific explanation is as follows:
fig. 1 is a flowchart of a method for operating a device in a local area network according to an embodiment of the present invention. As shown in fig. 1, the method for operating and controlling devices in a local area network includes:
s101, detecting whether the first device in the local area network is attacked illegally in the process of running in the first security level mode.
Specifically, in order to protect the security of the terminal in different environments, different security level modes are usually set for the device, the different security level modes correspond to different security protection strengths, the operation authority of a lower security level corresponds to a safer environment, the security protection capability is weaker, the operation authority of a higher security level corresponds to a less stable environment, the security protection capability is stronger, and the like.
That is, since the device is vulnerable to an attack when it is in an environment with a low security level, in order to improve detection efficiency, it is detected whether the first device in the lan is under an illegal attack when it operates in a low security level mode.
Wherein the lower security level is expressed in a first security level for convenience of description.
In addition, according to different application scenarios, the first device may include different devices, for example, in a smart home application scenario, the first device may be a device such as a home air conditioner or a refrigerator.
It should be noted that, according to different application requirements, different manners may be adopted to detect whether the first device is attacked illegally. Examples are as follows:
in a first example, whether the first device receives an illegal attack may be determined according to an information transmission capability of the first device.
In this example, the number of target data packets within the preset time may be obtained, and if the number of target data packets meets the preset condition, it indicates that the information transmission capability of the first device is damaged, so that it is detected that the first device is attacked illegally.
Specifically, in different application scenarios, the target data packet may include different data packets characterizing data transmission conditions, for example, the target data packet may include a query data packet, a control data packet, and the like.
As an implementation manner, when the target data packet includes the query data packet, since the packet loss rate of the terminal device is increased when the first device is attacked, the data amount of the query data packet is increased, so as to detect whether the first device is attacked illegally.
The first threshold is calibrated according to a large amount of experimental data, and when the number of the data packets is greater than the first threshold, it is proved that the first device frequently queries the data and may be attacked illegally.
As another implementation manner, when the target data packet includes a control data packet, since the packet loss rate of the terminal device increases when the first device is attacked, in order to implement retransmission of data, the data amount of the corresponding control data packet increases.
Thus, detecting whether the first device is subjected to the illegal attack may include detecting whether the number of control packets is greater than a preset second threshold, and if so, knowing that the first device is subjected to the illegal attack.
The second threshold is calibrated according to a large amount of experimental data, and when the number of the control data packets is larger than the second threshold, it is proved that the first device may be attacked illegally.
In a second example, when the first device is attacked illegally, the warning information including the device identifier may be reported to the relevant server, so that the device identifier in the warning information may be obtained from the server, and whether the first device is attacked illegally is detected by identifying whether the device identifier is the device identifier of the first device.
S102, if it is detected that the first device is attacked illegally, performing key agreement with the server to obtain a first authority key, and encrypting the interactive information between the first device and the server by using the first authority key.
Specifically, if it is detected that the first device is subjected to an illegal attack, performing key agreement with the server to obtain a first authority key, so as to apply the first authority key to encrypt the interaction information between the first device and the server, and improve the security level mode of the first device itself, so as to protect the device security of the first device.
The above-mentioned authority key is a key corresponding to the current security level mode, and is used for communicating with the server according to the above-mentioned authority key, and the mode of obtaining the authority key by performing key negotiation with the server can be realized by the prior art, and is not described herein again.
S103, sending a broadcast message of the second security level mode operation to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode, so that the devices in the local area network operating in the first security level mode are switched to the second security level mode.
Specifically, after the first device acquires the first authority key, the first device sends a broadcast message of a second security level mode to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode.
Therefore, in order to avoid being maliciously attacked, other devices in the local area network, which operate in the first security level mode, switch to the second security level mode in order to avoid being illegally controlled after receiving the broadcast message that the first device has operated in the second security mode.
In the implementation process, the second security level mode may be a security level mode higher by one level than the first security level mode, or may be a security level mode higher by a plurality of levels than the first security level mode, depending on a specific application scenario.
In summary, in the security control method for devices in the local area network according to the embodiment of the present invention, in a process that a first device in the local area network operates in a first security level mode, it is detected whether the first device is subjected to an illegal attack, if the first device is detected to be subjected to the illegal attack, a key negotiation is performed with a server to obtain a first authority key, so as to apply the first authority key to encrypt interactive information between the first device and the server, and send a broadcast message of operation in a second security level mode to other devices in the local area network, where a security level of the second security level mode is higher than that of the first security level mode, so that the devices in the local area network operating in the first security level mode are switched to the second security level mode. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
The following description focuses on the other device side notified by the first attacked device, and the specific description is as follows:
fig. 2 is a flowchart of a method for operating a device in a lan according to another embodiment of the present invention. As shown in fig. 2, the method for operating and controlling devices in a local area network includes:
s201, a second device in the local area network receives a broadcast message which is sent by a first device and runs in a second security level mode, wherein the security level of the second security level mode is higher than that of the first security level mode.
Specifically, in order to facilitate timely learning that other devices in the same local area network may be attacked so as to improve the security level mode in time, a second device in the local area network receives a broadcast message sent by the first device and running in a second security level mode, where the security level of the second security level mode is higher than that of the first security level mode.
S202, if the second device operates in the first security level mode currently, performing key negotiation with the server to obtain a second authority key, and encrypting the interactive information between the second device and the server by using the second authority key. .
Specifically, after receiving a broadcast message sent by the first device and running in the second security level mode, if the second device is currently running in the first security level mode, performing key agreement with the server to obtain a second permission key, and encrypting the interactive information between the second device and the server by using the second permission key.
It should be noted that, according to different application scenarios, the manner of obtaining the second authorization key is different, and the following example illustrates that:
as an implementation manner, the random number a may be sent to the server, and the server feeds back the random number B, so that the second device may perform corresponding splicing processing according to the random number a and the random number B to generate the second authority key.
In summary, in the security control method for devices in a local area network according to the embodiment of the present invention, a second device in the local area network receives a broadcast message sent by a first device and operating in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode, and if the second device currently operates in the first security level mode, the second device performs key negotiation with a server to obtain a second authorization key, so as to apply the second authorization key to encrypt interactive information between the second device and the server. . Therefore, the interactivity of the equipment in the local area network is realized, when one piece of equipment is attacked, other pieces of equipment can improve the security level mode through the broadcast message of the attacked equipment, and the security protection efficiency of the equipment in the local area network is improved.
The following description focuses on a terminal control device to describe a security control method for devices in a local area network according to an embodiment of the present invention, where the terminal control device may be an application program for controlling the terminal device, and fig. 3 is a flowchart of a security control method for devices in a local area network according to another embodiment of the present invention, and as shown in fig. 3, the security control method for devices in a local area network includes:
s301, a terminal control device in the local area network receives a broadcast message which is sent by a first device and runs in a second security level mode, wherein the security level of the second security level mode is higher than that of the first security level mode.
Specifically, after the first device receives the attack, the terminal control device in the local area network may receive the broadcast message sent by the first device, and thus, in order to enhance the security of information interaction between the terminal control device and the terminal device, the terminal control device in the local area network receives the broadcast message sent by the first device and operated in the second security level mode, where the security level of the second security level mode is higher than that of the first security level mode.
S302, the identification information of the first equipment is analyzed from the broadcast message, and a token query request carrying the identification information is sent to the server.
And S303, receiving the token corresponding to the identification information fed back by the server.
It can be understood that the identification information of the device, the token and the corresponding relationship thereof are stored in the server in advance, wherein the identification information of the device may include information representing device uniqueness, such as a device MAC code, a device production number, and the like, the token may be a secret number for communication between the terminal control device and the terminal device, the secret number is checked before the transmission of the related data, and different secret numbers are authorized for different data operations.
Specifically, the identification information of the first device is analyzed from the broadcast message, and a token query request carrying the identification information is sent to the server, so that the server queries the corresponding relationship according to the identification information to obtain a token corresponding to the identification information.
S304, performing key agreement with the first device according to the token to obtain a third authority key, and encrypting the interactive information between the first device and the terminal control device by using the third authority key.
Specifically, after the token is acquired, in order to ensure the security of the transmission data, a third authority key is acquired by performing key negotiation with the first device according to the token, so that the third authority key is applied to encrypt the interactive information between the first device and the terminal control device.
In summary, in the security control method for devices in a local area network according to the embodiments of the present invention, a terminal control device in the local area network receives a broadcast message sent by a first device and running in a second security level mode, where the security level of the second security level mode is higher than that of the first security level mode, analyzes identification information of the first device from the broadcast message, sends a token query request carrying the identification information to a server, receives a token fed back by the server and corresponding to the identification information, and performs key negotiation with the first device according to the token to obtain a third permission key, so as to apply the third permission key to encrypt interaction information between the first device and the terminal control device. Therefore, the safety of communication data between the terminal control equipment and the terminal equipment is ensured. In order to implement the foregoing embodiment, the present invention further provides a terminal device, and fig. 4 is a schematic structural diagram of the terminal device according to an embodiment of the present invention, as shown in fig. 4, the terminal device includes a detection module 110, a first obtaining module 120, and a first sending module 130.
The detecting module 110 is configured to detect whether the terminal device in the local area network is under an illegal attack in a process of operating in the first security level mode.
In one embodiment of the present invention, as shown in fig. 5, the detection module 110 includes a first acquisition unit 111 and a detection unit 112.
The first obtaining unit 111 is configured to obtain the number of target data packets in a preset time.
The detecting unit 112 is configured to detect that the first device is attacked illegally when the number of target data packets meets a preset condition.
In this embodiment, the target data packet number includes the query data packet or the control data packet, so that if the target data packet number satisfies the preset condition, the detection unit 112 is configured to detect that the terminal device is under an illegal attack when the query data packet number is greater than a preset first threshold, or detect that the terminal device is under an illegal attack when the control data packet number is greater than a preset second threshold.
The first obtaining module 120 is configured to, when it is detected that the terminal device is attacked illegally, perform key agreement with the server to obtain a first permission key, so as to encrypt, by using the first permission key, the interactive information between the first device and the server. A first sending module 130, configured to send a broadcast message of a second security level mode operation to other devices in the local area network, where the security level of the second security level mode is higher than that of the first security level mode, so that a device in the local area network operating in the first security level mode switches to the second security level mode.
It should be noted that the security control method for devices in a local area network described above with reference to fig. 1 corresponds to the terminal device in the embodiment of the present invention, and details that are not disclosed in the embodiment of the terminal device of the present invention are not described herein again.
In summary, in the terminal device according to the embodiment of the present invention, in a process that a first device in a local area network operates in a first security level mode, whether the first device is attacked illegally is detected, if the first device is detected to be attacked illegally, a key negotiation is performed with a server to obtain a first authority key, the first authority key is applied to encrypt interactive information between the first device and the server, and a broadcast message of operating in a second security level mode is sent to other devices in the local area network, where a security level of the second security level mode is higher than that of the first security level mode, so that the device operating in the first security level mode in the local area network is switched to the second security level mode. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
In order to implement the foregoing embodiment, the present invention further provides another terminal device, and fig. 6 is a schematic structural diagram of a terminal device according to another embodiment of the present invention, as shown in fig. 6, the terminal device includes a first receiving module 210 and a second obtaining module 220.
The receiving module 210 is configured to receive, by a terminal device in the local area network, a broadcast message sent by the first device and running in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode.
The second obtaining module 220 is configured to, when the terminal device currently operates in the first security level mode, perform key agreement with the server to obtain a second permission key, so as to encrypt the interaction information between the second device and the server by using the second permission key.
It should be noted that the security control method for devices in the lan described above with reference to fig. 2 corresponds to the terminal device in the embodiment of the present invention, and details that are not disclosed in the embodiment of the terminal device of the present invention are not described herein again.
In summary, in the terminal device according to the embodiment of the present invention, a second device in a local area network receives a broadcast message sent by a first device and operating in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode, and if the second device currently operates in the first security level mode, performs key negotiation with a server to obtain a second authorization key, so as to encrypt interaction information between the second device and the server by using the second authorization key. Therefore, the interactivity of the equipment in the local area network is realized, when one piece of equipment is attacked, other pieces of equipment can improve the security level mode through the broadcast message of the attacked equipment, and the security protection efficiency of the equipment in the local area network is improved.
In order to implement the foregoing embodiment, the present invention further provides a terminal control device, and fig. 7 is a schematic structural diagram of the terminal control device according to an embodiment of the present invention, as shown in fig. 7, the terminal control device includes: a second receiving module 310, a parsing module 320, a second sending module 330, and a third obtaining module 340.
The second receiving module 310 is configured to receive, by a terminal control device in the local area network, a broadcast message sent by the first device and running in a second security level mode, where a security level of the second security level mode is higher than that of the first security level mode.
A parsing module 320 for parsing the identification information of the first device from the broadcast message.
The second sending module 330 is configured to send a token query request carrying the identification information to the server. In an embodiment of the present invention, the second receiving module 310 is further configured to receive a token corresponding to the identification information, which is fed back by the server.
The third obtaining module 340 is configured to perform key negotiation with the first device according to the token to obtain a third permission key, so as to encrypt the interaction information between the first device and the terminal control device by using the third permission key.
It should be noted that the security control method for devices in a local area network described above with reference to fig. 3 corresponds to the terminal control device in the embodiment of the present invention, and details that are not disclosed in the embodiment of the terminal control device in the present invention are not described herein again.
In summary, in the terminal control device in the embodiment of the present invention, the terminal control device in the local area network receives a broadcast message sent by the first device and running in the second security level mode, where the security level of the second security level mode is higher than that of the first security level mode, parses the identification information of the first device from the broadcast message, sends a token query request carrying the identification information to the server, receives a token corresponding to the identification information and fed back by the server, and performs key negotiation with the first device according to the token to obtain a third permission key, so as to apply the third permission key to encrypt the interaction information between the first device and the terminal control device. Therefore, the safety of communication data between the terminal control equipment and the terminal equipment is ensured.
In order to implement the foregoing embodiment, the present invention further provides a security control system for devices in a local area network, and fig. 8 is a schematic structural diagram of a security control system for devices in a local area network according to an embodiment of the present invention, as shown in fig. 8, the security control system for devices in a local area network includes a terminal device 100, a terminal device 200, a terminal control device 300, and a server 400.
The terminal device described above with reference to fig. 4 and 5 corresponds to the terminal device 100 according to the embodiment of the present invention, the terminal device described above with reference to fig. 6 corresponds to the terminal device 200 according to the embodiment of the present invention, the terminal device described above with reference to fig. 7 corresponds to the terminal control device 300 according to the embodiment of the present invention, and details that are not disclosed in the security control system embodiment of the device in the lan according to the present invention are not described herein again.
In summary, in the security control system for devices in a local area network according to the embodiments of the present invention, in a process that a first device in the local area network operates in a first security level mode, it is detected whether the first device is attacked illegally, if it is detected that the first device is attacked illegally, a key negotiation is performed with a server to obtain a first authority key, so as to apply the first authority key to encrypt interactive information between the first device and the server, and send a broadcast message of operating in a second security level mode to other devices in the local area network, where a security level of the second security level mode is higher than that of the first security level mode, so that the devices operating in the first security level mode in the local area network are switched to the second security level mode, and a terminal control device encrypts information interaction between the first devices. Therefore, the interactivity of the equipment in the local area network is realized, when one equipment is attacked, other equipment can be effectively reminded, and the safety protection efficiency of the equipment in the local area network is improved.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (11)
1. A safety control method for devices in a local area network is characterized by comprising the following steps:
detecting whether the first equipment in the local area network is attacked illegally in the process of running in a first security level mode;
if the first equipment is detected to be attacked illegally, performing key negotiation with a server to obtain a first authority key so as to encrypt interactive information between the first equipment and the server by applying the first authority key;
and sending a broadcast message of a second security level mode operation to other devices in the local area network, wherein the security level of the second security level mode is higher than that of the first security level mode, so that the devices in the local area network operating in the first security level mode are switched to the second security level mode.
2. The method of claim 1, wherein said detecting whether an illegal attack is being perpetrated comprises:
acquiring the number of target data packets in preset time;
and if the number of the target data packets meets a preset condition, detecting and knowing that the first equipment is attacked illegally.
3. The method of claim 1, wherein the target number of packets comprises: querying the data packet or controlling the data packet;
if the number of the target data packets meets a preset condition, detecting and knowing that the first device is attacked illegally, wherein the detecting and knowing includes:
if the number of the query data packets is larger than a preset first threshold value, detecting and knowing that the first equipment is attacked illegally; or,
and if the number of the control data packets is larger than a preset second threshold value, detecting and knowing that the first equipment is attacked illegally.
4. A safety control method for devices in a local area network is characterized by comprising the following steps:
receiving a broadcast message which is transmitted by a first device and runs in a second security level mode by a second device in a local area network, wherein the security level of the second security level mode is higher than that of a first security level mode which runs by the first device;
and if the second equipment operates in the first security level mode currently, performing key negotiation with a server to obtain a second authority key so as to encrypt the interactive information between the second equipment and the server by applying the second authority key.
5. A safety control method for devices in a local area network is characterized by comprising the following steps:
receiving a broadcast message which is transmitted by first equipment and runs in a second security level mode by terminal control equipment in a local area network, wherein the security level of the second security level mode is higher than that of a first security level mode which runs by the first equipment;
analyzing the identification information of the first equipment from the broadcast message, and sending a token query request carrying the identification information to a server;
receiving a token corresponding to the identification information fed back by the server;
and performing key agreement with the first device according to the token to obtain a third authority key so as to apply the third authority key to encrypt the interactive information between the first device and the terminal control device.
6. A terminal device, comprising:
the detection module is used for detecting whether the terminal equipment in the local area network is attacked illegally or not in the process of running in the first security level mode;
the first obtaining module is used for carrying out key negotiation with a server to obtain a first authority key when detecting that the terminal equipment is subjected to illegal attack so as to encrypt interactive information between the first equipment and the server by applying the first authority key;
the first sending module is configured to send a broadcast message of a second security level mode to other devices in the local area network, where a security level of the second security level mode is higher than that of the first security level mode, so that a device in the local area network operating in the first security level mode is switched to the second security level mode.
7. The terminal device of claim 6, wherein the detection module comprises:
the first acquisition unit is used for acquiring the number of target data packets within preset time;
and the detection unit is used for detecting and knowing that the first equipment is attacked illegally when the number of the target data packets meets a preset condition.
8. The terminal device of claim 6, wherein the target number of packets comprises: querying the data packet or controlling the data packet;
the detecting unit is configured to, if the number of target packets satisfies a preset condition:
when the number of the query data packets is larger than a preset first threshold value, detecting to acquire that the terminal equipment is attacked illegally; or,
and when the number of the control data packets is larger than a preset second threshold value, detecting to acquire that the terminal equipment is attacked illegally.
9. A terminal device, comprising:
a first receiving module, configured to receive, at a terminal device in a local area network, a broadcast message sent by a first device and running in a second security level mode, where a security level of the second security level mode is higher than a security level of a first security level mode in which the first device runs;
and the second obtaining module is used for performing key negotiation with the server to obtain a second authority key when the terminal equipment runs in the first security level mode currently, so as to encrypt the interactive information between the second equipment and the server by applying the second authority key.
10. A terminal control device, characterized by comprising:
a second receiving module, configured to receive, at a terminal control device in a local area network, a broadcast message sent by a first device and running in a second security level mode, where a security level of the second security level mode is higher than a security level of a first security level mode in which the first device runs;
the analysis module is used for analyzing the identification information of the first equipment from the broadcast message;
the second sending module is used for sending a token query request carrying the identification information to a server;
the second receiving module is further configured to receive a token corresponding to the identification information, which is fed back by the server;
and the third obtaining module is used for performing key agreement with the first equipment according to the token to obtain a third authority key so as to apply the third authority key to encrypt the interactive information between the first equipment and the terminal control equipment.
11. A safety control system for devices in a local area network, comprising:
the terminal device of any one of claims 6-8;
the terminal device of claim 9;
the terminal control device according to claim 10; and
and (4) a server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610934255.4A CN106656984B (en) | 2016-10-31 | 2016-10-31 | Safety operation control method, system and its equipment of equipment in local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610934255.4A CN106656984B (en) | 2016-10-31 | 2016-10-31 | Safety operation control method, system and its equipment of equipment in local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656984A CN106656984A (en) | 2017-05-10 |
| CN106656984B true CN106656984B (en) | 2019-10-01 |
Family
ID=58821182
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610934255.4A Active CN106656984B (en) | 2016-10-31 | 2016-10-31 | Safety operation control method, system and its equipment of equipment in local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656984B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001667B (en) * | 2021-12-15 | 2023-05-26 | 荣耀终端有限公司 | Key agreement method, system, electronic device and computer readable storage medium |
| CN115664850A (en) * | 2022-12-13 | 2023-01-31 | 深圳市鑫宇鹏电子科技有限公司 | Communication security level switching method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102625312A (en) * | 2012-04-25 | 2012-08-01 | 重庆邮电大学 | Security System of Sensor Network Based on Hierarchical Intrusion Detection |
| CN102737178A (en) * | 2011-03-28 | 2012-10-17 | 索尼公司 | Information processing apparatus and method, and program |
| CN102811196A (en) * | 2011-05-30 | 2012-12-05 | 中兴通讯股份有限公司 | Method, device and system for network safety protection in automatically switched optical network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9075953B2 (en) * | 2012-07-31 | 2015-07-07 | At&T Intellectual Property I, L.P. | Method and apparatus for providing notification of detected error conditions in a network |
-
2016
- 2016-10-31 CN CN201610934255.4A patent/CN106656984B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737178A (en) * | 2011-03-28 | 2012-10-17 | 索尼公司 | Information processing apparatus and method, and program |
| CN102811196A (en) * | 2011-05-30 | 2012-12-05 | 中兴通讯股份有限公司 | Method, device and system for network safety protection in automatically switched optical network |
| CN102625312A (en) * | 2012-04-25 | 2012-08-01 | 重庆邮电大学 | Security System of Sensor Network Based on Hierarchical Intrusion Detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656984A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1874271B (en) | Method and system for protecting wireless devices from rogue access point attacks | |
| EP2775660B1 (en) | Message authentication method in communication system and communication system | |
| WO2018076368A1 (en) | Method and system for safely operating device in local area network, and device therefor | |
| GB2523444A (en) | Device authentication | |
| Vanhoef et al. | Operating channel validation: Preventing multi-channel man-in-the-middle attacks against protected Wi-Fi networks | |
| CN113794734A (en) | Vehicle-mounted CAN bus encryption communication method, control device and readable storage medium | |
| CN104301303A (en) | Security protection method and system for smart home internet of things | |
| KR101675332B1 (en) | Data commincaiton method for vehicle, Electronic Control Unit and system thereof | |
| CN104753953A (en) | Access control system | |
| US20210044971A1 (en) | Security Credentials Recovery in Bluetooth Mesh Network | |
| CN107181722A (en) | Vehicle safety communications method, device, vehicle multimedia system and vehicle | |
| CN107181725A (en) | Vehicle safety communications method, device, vehicle multimedia system and vehicle | |
| WO2023236925A1 (en) | Authentication method and communication device | |
| US7293289B1 (en) | Apparatus, method and computer program product for detection of a security breach in a network | |
| CN106656984B (en) | Safety operation control method, system and its equipment of equipment in local area network | |
| US11716367B2 (en) | Apparatus for monitoring multicast group | |
| KR102663891B1 (en) | Smart home system having dual security characteristics and communication method thereof | |
| CN118869207B (en) | Communication key generation management method and device | |
| KR20170032210A (en) | Data commincaiton method for vehicle, Electronic Control Unit and system thereof | |
| US20190289461A1 (en) | Secure key fob | |
| US20150188918A1 (en) | Method and system of authenticating a network device in a location based verification framework | |
| CN111274570A (en) | Encryption authentication method and device, server, readable storage medium and air conditioner | |
| CN112995140B (en) | Safety management system and method | |
| CN106656480B (en) | Key agreement method and device for client of household appliance | |
| CN106254367A (en) | Long-range control method based on double netcard intermediate server and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |