[go: up one dir, main page]

CN118761065A - Security audit methods, devices, systems and media - Google Patents

Security audit methods, devices, systems and media Download PDF

Info

Publication number
CN118761065A
CN118761065A CN202410798390.5A CN202410798390A CN118761065A CN 118761065 A CN118761065 A CN 118761065A CN 202410798390 A CN202410798390 A CN 202410798390A CN 118761065 A CN118761065 A CN 118761065A
Authority
CN
China
Prior art keywords
usb
equipment
auditing
audit
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410798390.5A
Other languages
Chinese (zh)
Inventor
黄文哲
张小峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI BEIRUI INFORMATION TECHNOLOGY CO LTD
Original Assignee
SHANGHAI BEIRUI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI BEIRUI INFORMATION TECHNOLOGY CO LTD filed Critical SHANGHAI BEIRUI INFORMATION TECHNOLOGY CO LTD
Priority to CN202410798390.5A priority Critical patent/CN118761065A/en
Publication of CN118761065A publication Critical patent/CN118761065A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a security audit method, a device, a system and a medium, wherein the method comprises the following steps: after the USB auditing equipment is started, transmitting USB data packets on a USB link between the upper computer and the USB equipment in a preset transparent transmission mode, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode; reporting the illegal behaviors to a cloud management server when the illegal behaviors of the USB equipment are detected, so that the cloud management server can determine audit rules; and receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule. The invention can carry out the whole-process monitoring agent on the USB data packet communication handshake process and data transmission of the USB device and the upper computer, can realize audit analysis and modification on the USB data packet, solves the technical problem of potential safety hazard in the use process of the USB device, and improves the safety and reliability of the data of the upper computer and the USB device.

Description

Security audit method, device, system and medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a security audit method, device, system, and medium.
Background
Security auditing refers to the comprehensive and systematic inspection and evaluation of computer systems, network devices, applications, security policies, etc. to discover security problems and vulnerabilities present in the system and to provide corresponding repair suggestions and improvements.
USB has become one of the necessary interfaces for computers and intelligent devices, and is widely used in various scenes of daily work, such as: and sharing data among PCs by using a USB flash disk, and using USB printers, USB security authentication cards, USB mouse keyboards and other application scenes. In recent years, security event layers of various hardware products are endless, and various attack means aiming at a USB interface appear, for example: malware propagation, data leakage, unauthorized access, autorun attacks, charging line attacks, and other security issues in USB use, etc., lead to serious security risks for the relevant systems. Therefore, a security audit method for eliminating the hidden danger of USB use is needed.
Disclosure of Invention
The present invention has been made in view of the above problems, and it is an object of the present invention to provide a security audit method, apparatus, system and medium that overcomes or at least partially solves the above problems.
To achieve the above and other related objects, the present invention provides a security audit method applied to a USB audit device, where the USB audit device accesses a cloud management server, and the USB audit device uses a USB UDC interface and a USB Host interface to connect an upper computer and a USB device, the method including:
after the USB auditing equipment is started, transmitting USB data packets on a USB link between the upper computer and the USB equipment in a preset transparent transmission mode, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
reporting the violations to the cloud management server when the violations of the USB equipment are detected, so that the cloud management server can determine audit rules;
and receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule.
Optionally, the audit rule includes: intercept rules and/or alarm trigger management rules.
Optionally, the analyzing the USB packet according to the audit rule in a preset injection mode includes:
Under the condition that the auditing rule is an interception rule, analyzing the USB data packet on the USB link, and extracting a unique identifier of the USB device;
And analyzing and identifying the unique identifier according to a preset blacklist, prohibiting the USB data packet from carrying out communication transmission when the unique identifier is contained in the equipment list of the preset blacklist, and sending alarm information to the cloud management server.
Optionally, after the step of extracting the unique identifier of the USB device, the method further includes:
And analyzing and identifying the unique identifier according to a preset white list, and allowing the USB data packet to carry out communication transmission when the unique identifier is contained in the equipment list of the preset white list.
Optionally, the analyzing the USB packet according to the audit rule in a preset injection mode includes:
Under the condition that the auditing rule is an alarm triggering management rule, unpacking and analyzing the USB data packet on the USB link to obtain the transmission content of the USB equipment;
when the transmission content is detected to be sensitive content, the USB data packet is modified or intercepted, and alarm information is sent to the cloud management server.
Optionally, after the step of detecting the violation of the USB device, the method further includes:
and allowing the USB auditing equipment to locally issue auditing rules, and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
To achieve the above and other related objects, the present invention provides a security audit method applied to a cloud management server, the method comprising:
Receiving illegal behaviors reported by USB auditing equipment, and determining auditing rules according to the illegal behaviors;
And issuing auditing rules to the USB auditing equipment so that the USB auditing equipment can analyze and process the USB data packet in a preset injection mode according to the auditing rules.
In a second aspect, the present invention further provides a security audit device, applied to a USB peripheral security audit device, where the USB audit device accesses to a cloud management server, and the USB audit device uses a USB UDC interface and a USB Host interface to connect to an upper computer and a USB device, where the device includes:
The transmission module is used for transmitting the USB data packets on the USB link between the upper computer and the USB equipment in a preset transparent transmission mode after the USB auditing equipment is started, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
The reporting module is used for reporting the illegal behaviors to the cloud management server when the illegal behaviors of the USB equipment are detected, so that the cloud management server can determine audit rules;
And the auditing module is used for receiving auditing rules issued by the cloud management server and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
In a third aspect, the present invention also provides a security audit system, the system comprising:
the USB auditing equipment is used for transmitting the USB data packets on the USB link between the upper computer and the USB equipment in a preset transparent transmission mode after the USB auditing equipment is started, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
the USB audit device is further used for reporting the illegal behaviors to a cloud management server when detecting the illegal behaviors of the USB device;
the cloud management server is used for receiving the illegal behaviors reported by the USB auditing equipment and determining auditing rules according to the illegal behaviors;
The cloud management server is further used for issuing audit rules to the USB audit equipment;
The USB auditing equipment is also used for receiving auditing rules issued by the cloud management server and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
The one or more technical schemes provided by the invention can have the following advantages or at least realize the following technical effects:
The security audit method, the security audit device, the security audit system and the security audit medium are applied to USB audit equipment, the USB audit equipment is connected with a cloud management server, the USB audit equipment is connected with an upper computer and USB equipment by using a USB UDC interface and a USB Host interface, and the security audit method comprises the following steps: after the USB auditing equipment is started, transmitting USB data packets on a USB link between the upper computer and the USB equipment in a preset transparent transmission mode, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode; reporting the violations to the cloud management server when the violations of the USB equipment are detected, so that the cloud management server can determine audit rules; and receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule.
Therefore, the invention can carry out the whole-process monitoring agent on the USB data packet communication handshake process and data transmission of the USB equipment and the upper computer through the joint cooperation of the USB audit equipment and the cloud management server, can realize audit analysis and modification on the USB data packet, solves the technical problem of potential safety hazard in the use process of the USB equipment, and improves the safety and reliability of the computer system and the USB equipment data.
Drawings
FIG. 1 is a schematic diagram of a basic framework of a USB auditing apparatus according to an embodiment of the present invention;
FIG. 2 is a flow chart of a security audit method according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a transparent transmission mode of a USB audit device according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a monitoring mode of a USB auditing device according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an injection mode of a USB auditing apparatus according to an embodiment of the present invention;
fig. 6 is a schematic functional block diagram of a security audit device according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
Other advantages and effects of the present invention will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present invention with reference to specific examples. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict.
It should be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present invention by way of illustration, and only the components related to the present invention are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In the following description, numerous details are set forth in order to provide a more thorough explanation of embodiments of the present invention, it will be apparent, however, to one skilled in the art that embodiments of the present invention may be practiced without these specific details, in other embodiments, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the embodiments of the present invention.
The terms first, second and the like in the description and in the claims of the embodiments of the disclosure and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe embodiments of the present disclosure. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion.
The term "plurality" means two or more, unless otherwise indicated.
In the embodiment of the present disclosure, the character "/" indicates that the front and rear objects are an or relationship. For example, A/B represents: a or B.
The term "and/or" is an associative relationship that describes an object, meaning that there may be three relationships. For example, a and/or B, represent: a or B, or, A and B.
Before explaining the present invention in further detail, terms and terminology involved in the embodiments of the present invention will be explained, and the terms and terminology involved in the embodiments of the present invention are applicable to the following explanation:
<1>, the upper computer means a computer or a system which communicates with and controls the lower computer or the device. It is typically a stand-alone computer that monitors, configures, controls and manages the operation of the lower computer or device.
<2>, USB device, means a hardware device connected to a computer through a USB interface.
<3>, UDC (USB Device Controller, i.e., USB slave controller), refers to the USB hardware device top-bottom hardware controller that is peripheral to other USB host controllers, which hardware and drivers will attach to a USB host controller as a USB device.
<4>, Malware, refers to software designed to destroy, harm, steal, or unauthorized access to a computer system. Common propagation pathways include, but are not limited to: email attachments, malicious links, software vulnerabilities, USB, and other removable media.
Malware propagation refers to the use of malware that can be propagated by infecting USB devices. When a user connects to an infected USB device, malware may spread to the user's computer or other device.
<5>, Data leakage, refers to the access, theft or disclosure of sensitive, confidential or protected data by unauthorized persons or entities. Common causes of data leakage include, but are not limited to: hacking, malware, internal threats, physical theft, and third party disclosure.
<6>, Unauthorized access, means that an individual or entity attempts or successfully accesses a computer system, network, application, data or resource without obtaining the proper rights. For example, a malicious user may physically contact the user's computer without being noticed, attempting to insert a malicious USB device to gain unauthorized access control.
<7>, An autorun attack, a malware propagation way using autorun functions in Windows operating system. For example, malicious USB may utilize autorun functionality to automatically execute malicious code when a device is connected to a computer.
<8>, Charging wire attack, a means of attacking an electronic device with a tailored charging wire (e.g., a malicious charging wire may contain malware for attacking a system to which the device is connected). Such as a cell phone or tablet connected via USB.
<9>, USB HID (Human INTERFACE DEVICE ), is a USB device used for interaction between a computer system and a user, such as a keyboard, mouse, etc. The characteristics that it possesses include: plug and play, multiple uses, standardization, flexibility, etc.
The following describes the technical scheme in the embodiment of the present invention in detail with reference to the drawings.
An embodiment of the invention provides a security audit method which is applied to USB audit equipment, wherein the USB audit equipment is accessed to a cloud management server, and the USB audit equipment is connected with an upper computer and USB equipment by using a USB UDC interface and a USB Host interface.
The USB auditing equipment is a single-board system based on ARM SoC, runs an embedded operating system and comprises a USB HOST interface and a USB UDC interface, and supports USB1.0 to 3.0 protocols; can be used to monitor and manage the usage of USB devices to ensure data security and prevent malware propagation.
As an example, the USB HOST interface may be preferably a Type-A interface, and the USB UDC interface may be preferably a Type-C interface. USB IN (USB input) and USB OUT (USB output) are distinguished by using a Type-A interface and a Type-C interface. In a specific embodiment, the interface type of the USB auditing device may be adjusted according to the actual situation.
As another example, referring to fig. 1, fig. 1 is a schematic diagram of a basic framework of a USB auditing device; as can be seen from fig. 1, the USB auditing device is an intermediate device for USB data communication, and can perform data interception and interception. The USB audit device can use a USB HOST interface and a USB UDC interface to connect the USB device and the upper computer. The "WIFI" and "bluetooth" in fig. 1 are used for networking and remote control of the USB auditing device, which indicates that the USB auditing device may be connected with the host computer by an ethernet (e.g., USB interface) or WIFI connection.
The security audit method according to the embodiments of the present invention will be described in detail below with reference to a plurality of embodiments.
Referring to fig. 2, an embodiment of the present invention provides a security audit method, which may include steps S10 to S30 as follows:
Step S10, after the USB auditing equipment is started, transmitting the USB data packet on the USB link between the upper computer and the USB equipment in a preset transparent transmission mode, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packet transmitted by each USB interface in the preset monitoring mode.
The transparent transmission mode can be that USB data packets are directly transmitted between the upper computer and the USB equipment, and no additional processing or filtering is performed; it focuses on the direct forwarding of USB packets. In the transparent transmission mode, the USB auditing equipment is transparent to the USB data packet, and the content of the USB data packet is not changed.
Referring to fig. 3, fig. 3 is a schematic diagram of a transparent transmission mode of the USB auditing device; as can be seen from fig. 3, after the USB auditing device is started, in the transparent mode, the USB data packet on the USB link between the host computer and the USB device (i.e., the audited device) is directly forwarded.
The monitoring mode can be used for capturing and analyzing USB data packets transmitted through each USB interface in USB audit; focusing on the capture and analysis of USB packets.
Referring to fig. 4, fig. 4 is a schematic diagram of a monitoring mode of the USB auditing device; as can be seen from fig. 4, in the listening mode, all USB packets on the USB bus of the USB auditing device are collected and analyzed, and when the security or behavior analysis of the data is abnormal, the data or behavior is reported to the cloud management server.
In a specific implementation, after the USB audit device is started, USB data packets on a USB link between the upper computer and the USB device can be transmitted in a transparent transmission mode, so that normal transmission of the USB link between the upper computer and the USB device is ensured. Meanwhile, a monitoring mode can be entered, USB data packets transmitted by all USB interfaces of the USB design equipment are captured in the monitoring mode, behavior analysis is carried out on USB equipment corresponding to all USB data packets, and whether behaviors violating security policies exist or not is detected.
And step S20, reporting the illegal behaviors to the cloud management server when the illegal behaviors of the USB equipment are detected, so that the cloud management server can determine audit rules.
The act of violating the rules may be an act of using the USB device to fail an organization security policy or legal regulations.
As an example, a USB device is analyzed for USB violations, such as unauthorized USB device access, use of unsafe USB devices, data leakage, or malware infection, etc.
The auditing rules can be used for monitoring, recording and analyzing interaction between the USB equipment and the upper computer in USB auditing so as to ensure data security, prevent unauthorized access and detect potential threats.
As an example, security alert information may be triggered when it is detected that the USB data packet contains sensitive content.
As another example, when a malicious program is detected to occur to an accessed USB device, USB packets of the USB device are modified or filtered in time.
As yet another example, when unauthorized USB device access is detected, USB device data communication is prohibited and alert information is sent to the cloud management server.
In a specific implementation, when detecting the illegal action of the USB equipment, reporting the illegal action to a cloud management server; and then the cloud management server can determine the corresponding auditing rules according to the illegal behaviors of the USB equipment, and then the cloud management server issues the auditing rules to the USB auditing equipment so as to remotely manage the USB auditing equipment.
Further, in an embodiment, the audit rule may include: intercept rules and/or alarm trigger management rules.
As an example, the audit rule may be an interception rule. For example, the USB audit device can extract the PID and the VID of the data packet of the USB setup, and analyze and identify the data packet according to the PID and the VID; and further, communication can be allowed or refused according to the black-and-white list. Among them, various USB devices can be quickly and accurately identified and managed by PID and VID.
As another example, the audit rule may be an alarm trigger management rule. If so, the USB auditing equipment analyzes the USB HID data packet to obtain the input content of the corresponding mouse or keyboard; upon discovering that the user entered specific content or keywords, security alert information may be triggered.
As yet another example, the audit rules may be intercept rules and alarm trigger management rules.
And step S30, receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule.
The injection mode may be that when data security or behavior analysis abnormality is found, the USB auditing device injects specific data or command into the USB data packet, so as to filter or cut off forwarding of dangerous data.
Referring to fig. 5, fig. 5 is a schematic diagram of an injection mode of the USB auditing device; as can be seen from fig. 5, after the USB auditing device finds an abnormality in data security or behavior analysis, it enters an injection mode to filter or cut-off forwarding dangerous USB packets.
In a specific implementation, an audit rule issued by the cloud management server can be received, and the audit rule is utilized to analyze and process the USB data packet in an injection mode, so that a whole-process monitoring agent is realized for the USB data packet communication handshake process and data transmission of the USB device and the upper computer.
In this embodiment, after the USB auditing device is started, a USB data packet on a USB link between the host computer and the USB device is transmitted in a preset transparent transmission mode, and meanwhile, a preset monitoring mode is entered, and the USB data packet transmitted by each USB interface is captured and analyzed in the preset monitoring mode; reporting the illegal behaviors to a cloud management server when the illegal behaviors of the USB equipment are detected, so that the cloud management server can determine audit rules; and receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule. According to the invention, through the cooperation of the USB auditing equipment and the cloud management server, the whole process monitoring agent is carried out on the USB data packet communication handshake process and data transmission of the USB equipment and the upper computer, the auditing analysis and modification of the USB data packet can be realized, the technical problem of potential safety hazard in the use process of the USB equipment is solved, and the safety and reliability of the computer system and the USB equipment data are improved.
Based on the foregoing embodiment, a second embodiment of the security audit method of the present invention is provided, in which step S30 may further include the following sub-steps a10 to a20:
and a sub-step A10, in which under the condition that the auditing rule is an interception rule, the USB data packet on the USB link is analyzed, and the unique identifier of the USB device is extracted.
Among other things, the interception rule may be an action specifying that data transmission or data connection of the USB device should be blocked in a specific case.
As an example, the interception rule may be an unauthorized USB device interception, which may prevent a USB device that is not present on the whitelist from connecting to the host.
As another example, the interception rules may be blacklist interception, and known blacklist USB devices may be automatically intercepted, which may be associated with security events or unsafe behavior.
The unique identifier may be a PID (Product ID) and a VID (Vendor ID) of the USB device; in USB device management and audit, PID and VID can be used for identity verification and management of USB devices. Wherein each USB device corresponds to a unique PID and VID.
In a specific implementation, under the condition that the auditing rule is an interception rule, a USB data packet on a USB link can be analyzed, and a unique identifier of the USB device is extracted; and further, the identity of the USB device can be verified according to the unique identifier so as to judge whether the USB device has authority.
And a sub-step A20 of analyzing and identifying the unique identifier according to a preset blacklist, prohibiting the USB data packet from carrying out communication transmission and sending alarm information when the unique identifier is not contained in the equipment list of the preset blacklist.
The black-and-white list can be used for controlling and managing the access authority of the USB equipment in USB audit; the USB device can be effectively controlled to be used, data leakage and malicious software propagation are prevented, and therefore the safety of data between the upper computer and the USB device is improved.
A white list, which may contain a list of USB devices that are trusted and allowed to access the host computer; only the USB device on the white list can be connected to the upper computer for data transmission, so that the security risk brought by unauthorized USB devices can be reduced.
A blacklist which can contain a list of USB devices which are forbidden to be accessed into the upper computer; any device on the blacklist will attempt to connect, and the upper level will automatically block its access, which can be used to prevent known malicious or unsafe USB devices from accessing.
In a specific implementation, the unique identifier can be analyzed and identified by using the blacklist so as to judge whether the USB equipment corresponding to the unique identifier has access permission or not; when the device list of the blacklist is detected to contain the unique identifier, the USB device corresponding to the unique identifier is indicated to have no access right, and further USB data packets communicated by the USB device can be intercepted and alarm information can be sent.
Further, in an embodiment, after the sub-step a10, the method may further include the following sub-step a30:
And a sub-step A30 of analyzing and identifying the unique identifier according to a preset white list, and allowing the USB data packet to carry out communication transmission when the unique identifier is contained in the equipment list of the preset white list.
In a specific implementation, after the unique identifier is analyzed and identified by using the white list, when the unique identifier is detected to be included in the device list of the white list, it is indicated that the USB device corresponding to the unique identifier has access authority, and further, the USB data packet communicated by the USB device can be allowed to be transmitted.
In this embodiment, under the condition that the audit rule is an interception rule, analyzing the USB data packet on the USB link, and extracting a unique identifier of the USB device; and analyzing and identifying the unique identifier according to the preset blacklist, prohibiting the USB data packet from being transmitted when the unique identifier is contained in the equipment list of the preset blacklist, and sending alarm information. Therefore, the access authority of the USB equipment is effectively controlled and managed through the interception rule, data leakage and malicious software propagation are prevented, and the safety of data between the upper computer and the USB equipment is further improved.
Based on the foregoing embodiment, a third embodiment of the security audit method of the present invention is provided, in which step S30 may include the following sub-steps B10 to B20:
And B10, unpacking and analyzing the USB data packet on the USB link to obtain the transmission content of the USB equipment under the condition that the auditing rule is an alarm triggering management rule.
The alarm triggers the management rule, and may be that when a certain condition is satisfied, a security warning is automatically issued.
As an example, a security alert is automatically issued upon detecting the presence of a malicious program on a USB disk or a removable hard disk (i.e., a USB device) used by a user.
As another example, a security alert may be automatically triggered upon detecting that a user keyboard or mouse (i.e., a USB HID device) inputs particular content (i.e., sensitive content).
In a specific implementation, under the condition that the auditing rule is an alarm triggering rule, unpacking analysis is performed on the USB data packet, and the input content of the USB device is analyzed.
As an example, the input content of the corresponding mouse or keyboard (i.e., USB HID device) may be obtained by analysis of the USB HID packet (i.e., USB packet).
And a sub-step B20 of modifying or intercepting the USB data packet and sending alarm information to the cloud management server when the transmission content is detected to be sensitive content.
The sensitive content may be specific content or keywords for triggering security alarms. Such as passwords, personal identification information or time, etc.
In a specific implementation, when detecting that the transmission content contains sensitive content, the USB data packet is modified or intercepted, and alarm information is sent to the cloud management server.
As an example, a USB auditing device may be used to monitor all keyboard inputs over the USB interface, and when password data (i.e., sensitive content) entered by the keyboard is detected, the data may be modified to null data (or, alternatively, the data may be cut-off for forwarding) and a security alarm may be triggered automatically.
In this embodiment, under the condition that the audit rule is an alarm trigger rule, unpacking and analyzing the USB data packet on the USB link to obtain the transmission content of the USB device; when the transmission content is detected to be sensitive content, the USB data packet is modified or intercepted, and alarm information is sent to the cloud management server. Therefore, the USB data packet is audited through the alarm triggering management rule, so that dangerous data is modified or intercepted, sensitive content input through the USB HID device can be effectively monitored and protected, and the risk of data leakage is reduced.
Based on the foregoing embodiment, a fourth embodiment of the security audit method of the present invention is provided, in this embodiment, after step S20, the following sub-step C10 may be further included:
and C10, allowing the USB auditing equipment to locally issue auditing rules, and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
The auditing rule can be a rule preset and implemented on the USB auditing device, can define how the USB auditing device processes and monitors the service condition of the USB device, and is stored in the USB auditing device after configuration is completed.
As an example, audit rules may define what is allowed to use a USB device, as well as what operations the USB device performs; such as preventing unauthorized USB device access.
As another example, the auditing rules may include a filtering mechanism to monitor and record USB packets transmitted through the various USB interfaces of the USB auditing device.
In a specific implementation, after detecting the USB violation, the USB auditing equipment can be allowed to locally issue an auditing rule; and then analyzing and processing the USB data packet in a preset injection mode according to a local audit rule.
In addition, the auditing rules locally issued by the USB auditing device may need to be manually updated periodically to accommodate changing USB audit security requirements and policies.
In this embodiment, the analysis processing is performed on the USB packet by allowing the local auditing device to issue an auditing rule, and according to the auditing rule, using a preset injection mode. Therefore, the USB auditing equipment can automatically execute the auditing task according to the auditing rules without intervention of an external server, thereby being beneficial to improving the auditing efficiency and response speed and reducing the dependence on network connection.
Further, an embodiment of the present invention further provides a security audit method, where the method is applied to a cloud management server, and the method may include the following substeps S40 to S50:
and S40, receiving the illegal behaviors reported by the USB auditing equipment, and determining auditing rules according to the illegal behaviors.
In a specific implementation, the cloud management server can receive the illegal behaviors of the USB equipment reported by the USB auditing equipment; and the cloud management server can determine corresponding audit rules according to the illegal behaviors.
As an example, a trusted device list is created (which contains the PIDs and VIDs of trusted USB devices), if only the PIDs and VIDs of the USB keyboard (i.e., USB HID) in the list, indicating that only authorized USB keyboards are allowed to connect to the host computer, it may lock or disable all USB interfaces except for USB keyboard inputs; therefore, the security of USB audit can be improved, and the security risk is reduced.
And S50, issuing an audit rule to the USB audit equipment so that the USB audit equipment can analyze and process the USB data packet in a preset injection mode according to the audit rule.
In a specific implementation, the cloud management server can issue audit rules to the USB audit device to remotely manage the USB audit device; and the USB auditing equipment can analyze and process the USB data packet in a preset injection mode according to the auditing rule after receiving the auditing rule.
In the embodiment, the USB illegal activity reported by the USB auditing equipment is received, and an auditing rule is determined according to the USB illegal activity; and issuing auditing rules to the USB auditing equipment so that the USB auditing equipment can analyze and process the USB data packet in a preset injection mode according to the auditing rules. According to the invention, through the cooperation of the USB auditing equipment and the cloud management server, the whole process monitoring agent is carried out on the USB data packet communication handshake process and data transmission of the USB equipment and the upper computer, so that the auditing analysis and modification of the USB data packet can be realized, the technical problem of potential safety hazards in the use process of the USB equipment is solved, and the safety and reliability of the data of the upper computer and the USB equipment are improved.
Based on the same inventive concept, the sixth embodiment of the present invention further provides a security audit device corresponding to the security audit method of the foregoing embodiment, and since the principle of solving the problem of the device in the sixth embodiment of the present invention is similar to that of the security audit method of the foregoing embodiment of the present invention, implementation of the device may refer to implementation of the method, and repeated parts will not be repeated. Referring to fig. 6, the security audit device of the present invention may include:
the transmission module 10 is configured to transmit, after the USB auditing device is started, USB packets on a USB link between the host computer and the USB device in a preset transparent transmission mode, and simultaneously enter a preset monitoring mode, and capture and analyze the USB packets transmitted by each USB interface in the preset monitoring mode;
The reporting module 20 is configured to report, when detecting an offence of the USB device, the offence to a cloud management server, so that the cloud management server determines an audit rule;
And the auditing module 30 is used for receiving auditing rules issued by the cloud management server and analyzing and processing the USB data packet according to the auditing rules in a preset injection mode.
In addition, the present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the security audit method described above.
In summary, the invention performs the whole-process monitoring agent on the USB data packet communication handshake process and data transmission of the USB equipment and the upper computer through the co-cooperation of the USB auditing equipment and the cloud management server, so that the audit analysis and modification of the USB data packet can be realized, the technical problem of potential safety hazard in the use process of the USB equipment is solved, and the safety and reliability of the data of the upper computer and the USB equipment are improved.
The above embodiments are merely illustrative of the principles of the present invention and its effectiveness, and are not intended to limit the invention. Modifications and variations may be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the invention. Accordingly, it is intended that all equivalent modifications and variations of the invention be covered by the claims, which are within the ordinary skill of the art, be within the spirit and scope of the present disclosure.

Claims (10)

1. The security audit method is characterized by being applied to USB audit equipment, wherein the USB audit equipment is accessed to a cloud management server, and the USB audit equipment is connected with an upper computer and USB equipment by using a USB UDC interface and a USB Host interface, and the method comprises the following steps:
after the USB auditing equipment is started, transmitting USB data packets on a USB link between the upper computer and the USB equipment in a preset transparent transmission mode, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
reporting the violations to the cloud management server when the violations of the USB equipment are detected, so that the cloud management server can determine audit rules;
and receiving an audit rule issued by the cloud management server, and analyzing and processing the USB data packet in a preset injection mode according to the audit rule.
2. The method of claim 1, wherein the audit rule comprises: intercept rules and/or alarm trigger management rules.
3. The method according to claim 2, wherein the analyzing the USB packet in the preset injection mode according to the audit rule includes:
Under the condition that the auditing rule is an interception rule, analyzing the USB data packet on the USB link, and extracting a unique identifier of the USB device;
And analyzing and identifying the unique identifier according to a preset blacklist, prohibiting the USB data packet from carrying out communication transmission when the unique identifier is contained in the equipment list of the preset blacklist, and sending alarm information to the cloud management server.
4. A method according to claim 3, wherein after the step of extracting the unique identifier of the USB device, further comprising:
And analyzing and identifying the unique identifier according to a preset white list, and allowing the USB data packet to carry out communication transmission when the unique identifier is contained in the equipment list of the preset white list.
5. The method according to claim 2, wherein the analyzing the USB packet in the preset injection mode according to the audit rule includes:
Under the condition that the auditing rule is an alarm triggering management rule, unpacking and analyzing the USB data packet on the USB link to obtain the transmission content of the USB equipment;
when the transmission content is detected to be sensitive content, the USB data packet is modified or intercepted, and alarm information is sent to the cloud management server.
6. The method of claim 1, wherein after the step of detecting the violation of the USB device, the method further comprises:
and allowing the USB auditing equipment to locally issue auditing rules, and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
7. A security audit method, applied to a cloud management server, the method comprising:
Receiving illegal behaviors reported by USB auditing equipment, and determining auditing rules according to the illegal behaviors;
And issuing auditing rules to the USB auditing equipment so that the USB auditing equipment can analyze and process the USB data packet in a preset injection mode according to the auditing rules.
8. The utility model provides a safe audit device, its characterized in that is applied to USB audit equipment, USB audit equipment inserts cloud management server, USB audit equipment uses USB UDC interface and USB Host interface to connect Host computer and USB equipment, the device includes:
The transmission module is used for transmitting the USB data packets on the USB link between the upper computer and the USB equipment in a preset transparent transmission mode after the USB auditing equipment is started, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
The reporting module is used for reporting the illegal behaviors to the cloud management server when the illegal behaviors of the USB equipment are detected, so that the cloud management server can determine audit rules;
And the auditing module is used for receiving auditing rules issued by the cloud management server and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
9. A security audit system, said system comprising:
the USB auditing equipment is used for transmitting the USB data packets on the USB link between the upper computer and the USB equipment in a preset transparent transmission mode after the USB auditing equipment is started, entering a preset monitoring mode at the same time, and capturing and analyzing the USB data packets transmitted by each USB interface in the preset monitoring mode;
the USB audit device is further used for reporting the illegal behaviors to a cloud management server when detecting the illegal behaviors of the USB device;
the cloud management server is used for receiving the illegal behaviors reported by the USB auditing equipment and determining auditing rules according to the illegal behaviors;
The cloud management server is further used for issuing audit rules to the USB audit equipment;
The USB auditing equipment is also used for receiving auditing rules issued by the cloud management server and analyzing and processing the USB data packet in a preset injection mode according to the auditing rules.
10. A computer readable storage medium, characterized in that it has stored thereon a computer program which, when run, is adapted to carry out the steps of the method according to any of claims 1 to 7.
CN202410798390.5A 2024-06-20 2024-06-20 Security audit methods, devices, systems and media Pending CN118761065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410798390.5A CN118761065A (en) 2024-06-20 2024-06-20 Security audit methods, devices, systems and media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410798390.5A CN118761065A (en) 2024-06-20 2024-06-20 Security audit methods, devices, systems and media

Publications (1)

Publication Number Publication Date
CN118761065A true CN118761065A (en) 2024-10-11

Family

ID=92942490

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410798390.5A Pending CN118761065A (en) 2024-06-20 2024-06-20 Security audit methods, devices, systems and media

Country Status (1)

Country Link
CN (1) CN118761065A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090172705A1 (en) * 2006-10-16 2009-07-02 Kings Information & Network Apparatus and Method for Preservation of USB Keyboard
CN105488395A (en) * 2015-06-04 2016-04-13 哈尔滨安天科技股份有限公司 Method and device for performing malicious device detection based on USB communication data
CN111783177A (en) * 2020-07-15 2020-10-16 山东云天安全技术有限公司 Device and method for carrying out safety protection and management on USB port
CN112905548A (en) * 2021-03-25 2021-06-04 昆仑数智科技有限责任公司 Safety audit system and method
CN113742722A (en) * 2021-09-10 2021-12-03 成都立鑫新技术科技有限公司 USB equipment security audit system and audit method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090172705A1 (en) * 2006-10-16 2009-07-02 Kings Information & Network Apparatus and Method for Preservation of USB Keyboard
CN105488395A (en) * 2015-06-04 2016-04-13 哈尔滨安天科技股份有限公司 Method and device for performing malicious device detection based on USB communication data
CN111783177A (en) * 2020-07-15 2020-10-16 山东云天安全技术有限公司 Device and method for carrying out safety protection and management on USB port
CN112905548A (en) * 2021-03-25 2021-06-04 昆仑数智科技有限责任公司 Safety audit system and method
CN113742722A (en) * 2021-09-10 2021-12-03 成都立鑫新技术科技有限公司 USB equipment security audit system and audit method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
吴敬征,武延军,罗天悦,邵妍洁,赵辰著;徐国爱总主编: "移动终端操作系统安全威胁分析与防护", vol. 978, 31 August 2022, 北京邮电大学出版社, pages: 25 - 26 *
康云川;代彦;: "恶意USB设备原理及防护措施研究", 计算机技术与发展, vol. 30, no. 01, 10 January 2020 (2020-01-10) *
石玉成;: "企业内网USB设备监控与审计管理系统的设计与实现", 信息安全与技术, vol. 04, no. 01, 10 January 2013 (2013-01-10) *
高杨;李俊艳;王强;陈营端;: "USB外设网络集中监控装置的研制", 信息与电子工程, vol. 08, no. 03, 25 June 2010 (2010-06-25) *

Similar Documents

Publication Publication Date Title
KR102433928B1 (en) System for Managing Cyber Security of Autonomous Ship
US7415719B2 (en) Policy specification framework for insider intrusions
US7673147B2 (en) Real-time mitigation of data access insider intrusions
CN112653689B (en) Terminal zero trust security control method and system
US20050071643A1 (en) Method of and system for enterprise information asset protection through insider attack specification, monitoring and mitigation
CN103391216A (en) Alarm and blocking method for illegal external connections
JP7189397B1 (en) MONITORING DEVICE, MONITORING SYSTEM AND MONITORING METHOD
CN113132318B (en) Active defense method and system for information security of main station of power distribution automation system
CN109344609A (en) A kind of TCU module, TCU system and guard method
CN114826662B (en) Custom rule protection method, device, equipment and readable storage medium
CN115314286A (en) Safety guarantee system
CN111898167A (en) External terminal protection equipment and protection system including identity information verification
CN115225315A (en) Network white list management and control scheme based on Android system
CN118200016A (en) Asset monitoring method based on equipment fingerprint
CN117235818A (en) Encryption authentication method and device based on solid state disk, computer equipment and medium
CN110401621A (en) A protection method, device and storage medium for sensitive instructions
JP2008250728A (en) Information leakage monitoring system and information leakage monitoring method
CN104821943A (en) Method for enhancing security of access of Linux hosts to network system
CN115348052A (en) Multi-dimensional blacklist protection method, device, equipment and readable storage medium
CN117201044A (en) Industrial Internet safety protection system and method
CN118761065A (en) Security audit methods, devices, systems and media
CN110086812B (en) A safe and controllable intranet security patrol system and method
KR20100067383A (en) Server security system and server security method
CN117851154A (en) A computer host operation abnormality identification system based on data analysis
KR101153115B1 (en) Method, server and device for detecting hacking tools

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20241011