CN114444033A - A data security protection system and method based on the Internet of Things - Google Patents

Abstract

The invention discloses a data security protection system and a method based on the Internet of things, which comprises the following steps: the system comprises an Internet of things terminal identity authentication module, a terminal network flow encryption module, a background flow decryption module, a background identity authentication module, a flow protocol analysis module, a sensitive data detection module and a physical encryption machine control module; the method combines multiple data security software and hardware, realizes more transparent user-insensitive sensitive data protection and automatic data desensitization in the scene of the Internet of things, and achieves the effect of data security protection.

Description

A data security protection system and method based on the Internet of Things

technical field

The invention relates to the technical field of data security protection, in particular to a data security protection system and method based on the Internet of Things.

Background technique

The statements in this section merely provide background information related to the present invention and do not necessarily constitute prior art.

The Internet of Things refers to the real-time collection of any object or process that needs to be monitored, connected, and interacted through various devices and technologies such as various information sensors, radio frequency identification technology, global positioning systems, infrared sensors, and laser scanners. The required information, through various possible network accesses, realizes the ubiquitous connection between objects and objects and objects and people, and realizes the intelligent perception, identification and management of objects and processes. The Internet of Things is an information carrier based on the Internet, traditional telecommunication networks, etc. It enables all common physical objects that can be independently addressed to form an interconnected network;

The data security protection system is a self-developed product based on the security level protection standards and regulations of important information systems, as well as the protection needs of enterprises' digital intellectual property rights. , implement different security levels of control on various data assets on the information medium, effectively prevent the leakage and theft of confidential information, and protect data security through the collection of information through Internet of Things devices is also a technology that is often used now. For security protection, a data security protection system needs to be used.

The existing data security protection system has the following technical problems during use:

1. The current data security protection system is mostly a single software protection or hardware protection, and the single protection security level is not high, which is easy to cause the loss of keys or the loss of user sensitive data.

2. The current data security protection system under the Internet of Things, the weak terminal authentication method of password and password, and the identity information are easily leaked by attacks.

3. In the current data security protection system under the Internet of Things, data traffic from devices is transmitted over the Internet in clear text, and sensitive data is easily intercepted and tampered with during the transmission process; the accuracy of analysis and identification during the transmission of device-related sensitive data is not high; The encrypted storage of sensitive data does not involve encryption hardware, and the encryption key is stored in plaintext, which has management loopholes and potential security risks; at the same time, sensitive data lacks desensitization and watermark processing, and private data is easily leaked, and it is not easy to trace the source after leakage.

4. The data security access system in the Internet of Things environment lacks the log security analysis and audit function of the whole life cycle, and cannot timely analyze, locate, warn and deal with security threat events.

SUMMARY OF THE INVENTION

In order to solve the above problems, the present invention proposes a data security protection system and method based on the Internet of Things, which adopts the combination of software and hardware to solve the problem of easy data loss in the single software and hardware protection in the prior art, and adopts terminal equipment authentication at the same time. Digital certificates are introduced from time to time to ensure that the terminal identity is credible; the network communication process of the terminal is transparently encrypted throughout the entire process to achieve terminal data security; the AI model is used to efficiently identify sensitive data in communication data, and perform data desensitization and data watermark processing to improve The security of sensitive data sharing and the traceability when lost, the system joins the security audit mechanism throughout the whole process to achieve efficient identification of security threats and timely alerts.

In some embodiments, the following technical solutions are adopted:

An IoT-based data security protection system includes:

The IoT terminal identity authentication module is configured for registration and authorization of terminal devices to obtain terminal digital certificates and device information;

The terminal network traffic encryption module is configured to establish a secure encrypted channel through key negotiation, send the terminal original protocol data traffic based on the secure encrypted channel, and bring in the terminal certificate and device information for authentication and authorization;

The background traffic decryption module is configured to decrypt the ciphertext of the original protocol data traffic of the terminal to obtain the original protocol data traffic;

The background identity authentication module is configured to obtain the terminal certificate and device information in the traffic, and verify the identity legitimacy of the IoT terminal based on the digital certificate and the terminal device information;

The traffic protocol analysis module is configured to copy all the received TCP and Http traffic to the mirror server in real time; the mirror server performs protocol decoding on the received data, and stores the data that conforms to the business rules based on logical filtering rules to the mirror server. Message queue, which is used for peak clipping of instantaneous traffic;

A sensitive data detection module, configured to detect sensitive data in the instantaneous traffic after peak clipping;

The physical encryption machine control module is configured to realize automatic encryption and decryption of sensitive data, rights management, data desensitization and data watermark function control.

As a further solution, it also includes:

A data storage module, configured to perform an inbound storage operation for automatically encrypted sensitive data;

The security audit engine module is configured to detect system violations during or after the event through continuous information collection and analysis.

As a further solution, the data watermarking function is specifically as follows:

The numerical attribute watermark embedding method and the category attribute watermark embedding method are used to automatically add database watermarks to different sensitive data; wherein, the numerical attribute watermark embedding method modifies the original numerical value and embeds "0" or "1" watermark bits; the category attribute watermark The embedding method embeds carriage return and line feed at the end of the category attribute value to represent "0" and "1" watermark bits.

As a further solution, the security audit engine module includes:

The log integration unit is used to centrally store and manage logs in a unified format by collecting log information generated during system operation;

The abnormality detection unit is used to identify abnormal host status, risky access terminals, abnormal access requests and access traffic by presetting various event association rules;

The automatic alarm unit is used to automatically send an alarm notification to the identified abnormal event;

The exception handling unit is used to give corresponding handling suggestions to the monitored security events.

In other embodiments, the following technical solutions are adopted:

A data security protection method based on the Internet of Things, including:

Register and authorize terminal devices, and obtain terminal digital certificates and device information;

Perform key negotiation and key exchange between the terminal device and the background, and create a TLS1.2 secure channel;

The terminal device sends the original protocol data traffic in the secure channel, and brings in the terminal certificate and device information for authentication and authorization;

When the traffic reaches the background system, decrypt the traffic ciphertext, obtain the original protocol data traffic and terminal certificate and device information, and verify the identity legitimacy of the IoT terminal based on the digital certificate and terminal device information;

When the terminal identity verification fails, the original protocol data traffic will be intercepted, not forwarded to the network packet analysis module, and the exception will be written to the log file; when the terminal identity verification passes, the original protocol data traffic will be protocol decoded, Sensitive data detection and security audit operations.

As a further solution, protocol decoding is performed on the original protocol data traffic, which specifically includes:

Collect the full amount of data packets on the server in real time, and copy all the received traffic to the mirror server;

The analysis module deployed on the mirror server performs TCP and HTTP protocol decoding on the received data, matches logical filtering rules for specific business data, filters out data that does not match the rules, and stores the data that conforms to the business rules in the message queue.

As a further solution, sensitive data detection is performed on the original protocol data traffic, including:

Obtain the IoT terminal device data from the message queue, perform data cleaning, stop word removal, and text normalization data preprocessing on the data to obtain the IoT terminal device dataset;

Obtain a text set marked with sensitive data as an auxiliary data set;

For the samples in the auxiliary data set, the importance of words is calculated and sorted, and the first m words form the keyword set of the auxiliary data set; for the samples in the IoT terminal device data set, the importance of words is calculated and sorted, and the first m words form the Internet of Things Terminal equipment dataset keyword collection;

Calculate the similarity between the auxiliary data keyword set and the IoT terminal device data keyword set, and calculate the similarity between the auxiliary data set sentence and the IoT terminal device data set sentence;

Extend the auxiliary data keywords and auxiliary data set sentence samples whose similarity is higher than the set threshold into the IoT terminal device data set samples;

Use the trained sensitive data detection model to expand the IoT terminal device data set to identify sensitive data; wherein, the sensitive data detection model obtains word vectors from the data through the BERT model, and learns contextual data features through a bidirectional long-short-term memory neural network. Data identification, and finally use CRF for serialization.

As a further solution, for the samples in the auxiliary data set and the samples in the IoT terminal device data set, the importance of words is calculated and ranked, including:

Calculate sentence keyword frequency and inverse sentence frequency for IoT terminal device data;

Calculate the sentence keyword frequency and anti-sentence frequency for the auxiliary data set;

The importance of a word i in sentence j in the auxiliary data set and the importance of a word i in sentence j in the IoT terminal device data are obtained based on the frequency of sentence keywords and the frequency of inverse sentences.

As a further solution, a security audit operation is performed on the original protocol data traffic, including:

Collect logs generated by log sources;

Perform correlation analysis through a variety of preset event correlation rules to monitor abnormal host status, risky access terminals, abnormal access requests, and abnormal access traffic events; and alarm notifications for abnormal events;

Appropriate treatment shall be given to the detected abnormality or security event.

As a further solution, the abnormality or security event detected is given corresponding treatment, which specifically includes:

For hosts with abnormal status, restrict external access to other systems, trace the cause of the abnormality, and identify risk access subjects;

For risky access endpoints, restrict access until the endpoint risk is fixed;

For abnormal requests, restrict the access rights of the request subject;

For abnormal access traffic, trace the access subject, and restrict or block the access rights of the subject.

Compared with the prior art, the beneficial effects of the present invention are:

(1) The present invention uses digital certificates to authenticate the terminal equipment under the Internet of Things, so as to ensure the credibility of the terminal, and realize the management and control of the Internet of Things terminal; Safe and reliable in the transmission process.

(2) The present invention performs efficient flow replication of the data collected by the terminal equipment in the Internet of Things environment, and uses the bidirectional long-short-term memory neural network and the conditional random field algorithm fused with the BERT model to automatically identify, effectively solving the problems in the prior art. The detection accuracy of sensitive data of various data types such as unstructured is not high. It also provides real-time risk warnings at different levels such as emails, text messages, and phone calls for the sensitive data problems found, so as to remind the security person in charge and the business person in charge of data risk issues.

(3) The present invention adopts a sensitive data encryption and decryption mode combining software and hardware, and uses a physical encryption machine to perform encryption and decryption of sensitive data and key access control, so as to solve the problems of difficult key management and easy loss; Data watermarking technology improves data security when sensitive data is shared and enhances the traceability of data leakage.

(4) The present invention has the log security analysis and audit function of the whole operation cycle, and realizes the timely analysis, positioning, early warning and processing of security threat events.

Description of drawings

FIG. 1 is a structural block diagram of a data security protection system of this embodiment.

Detailed ways

It should be noted that the following detailed description is exemplary and intended to provide further explanation of the application. Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It should be noted that the terminology used herein is for the purpose of describing specific embodiments only, and is not intended to limit the exemplary embodiments according to the present application. As used herein, unless the context clearly dictates otherwise, the singular is intended to include the plural as well, furthermore, it is to be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates that There are features, steps, operations, devices, components and/or combinations thereof.

Example 1

In one or more embodiments, a data security protection system based on the Internet of Things is disclosed, which utilizes multiple data security software and hardware modules, makes full use of AI detection models and sensitive data rule models, and realizes more transparency in the Internet of Things scenario. The sensitive data protection and data automatic desensitization have achieved the effect of data security protection.

Specifically, referring to FIG. 1 , the data security protection system based on the Internet of Things includes:

(1) The IoT terminal identity authentication module is configured for registration and authorization of terminal devices to obtain terminal digital certificates and device information;

(2) The terminal network traffic encryption module is configured to establish a TLS1.2 secure encryption channel through key negotiation with the background system, and send the terminal original protocol data traffic on this secure channel, and bring the terminal certificate and device information for authentication. authorized;

(3) The background traffic decryption module is configured to decrypt the ciphertext of the original protocol data traffic of the terminal to obtain the original protocol data traffic;

(4) The background identity authentication module is configured to obtain the terminal certificate and device information in the traffic, and verify the identity legitimacy of the IoT terminal based on the digital certificate and the terminal device information;

(5) The flow protocol analysis module includes a flow replication module and a data analysis module. The traffic replication module is deployed on the web server and replicates all received TCP and Http traffic to the mirror server in real time based on application layer data. The analysis module deployed on the mirror server performs protocol decoding on the received data, matches logical filtering rules for specific business data, and stores the data that meets the business rules in the message queue. The message queue cuts the peak of the instantaneous traffic and pushes it smoothly. to the sensitive data detection module.

(6) Sensitive data detection module, which is configured as a function module for detecting sensitive data such as person name, place name, institution name, bank card number, mobile phone number, etc. based on rules and deep learning.

(7) The physical encryption machine control module is configured to realize automatic encryption and decryption of sensitive data, rights management, data desensitization and data watermark function control.

Among them, the sensitive data automatic encryption and decryption unit uses sensitive data encryption and decryption algorithms that support national and industry standards to encrypt and calculate the sensitive data produced by the AI model. This module supports symmetric encryption algorithms, asymmetric encryption algorithms, and digest algorithms.

The authority management unit has built a strict user identity authentication system and a key management system with separation of rights and responsibilities. Ensure that the encryption machine's keys and data access permissions are secure and controllable, and users and applications can only use the encryption machine's keys and data after authorization.

Based on an efficient desensitization algorithm, the data desensitization unit deforms, shields, replaces, and encrypts the sensitive data produced by the AI model to desensitize private data. On the premise of ensuring normal business, efficiently realize the security of sensitive data and information of IoT terminals without being leaked.

In this embodiment, the specific processing process of data desensitization is as follows:

Step 1: Sorting of sensitive data: Sorting out the target data to be desensitized. The sensitive information processed by the present invention includes sensitive information on personal identity (name, ID number, bank card number, mobile phone number, email address, etc.), enterprise sensitive information (business license, social unified trust code, tax registration certificate number), key Sensitive information (symmetric key, private key information of asymmetric key), device sensitive information (device ID, IP address, MAC address, IPV6 address), location-sensitive information (latitude and longitude, province, city, GPS location, address) common Sensitive Information (Date).

Step 2: Configure desensitization rules and processing algorithms. Several desensitization rules are preset in the encryption machine for desensitization. The supported desensitization algorithms include hash desensitization, encryption desensitization, character masking, keyword replacement, deletion desensitization, and rounding desensitization. Hash desensitization uses Hash function to desensitize sensitive data, supports SHA256 and SHA512. Encryption desensitization generates an encryption configuration through an encryption algorithm and an encryption master key to achieve the effect of data desensitization. In the generated desensitization result, the first 16 bytes are the initial vector IV, and the latter part is the encrypted ciphertext. The character masking desensitization algorithm uses specified characters* or random characters, including random numbers, random letters, and random numbers and letters, to cover part of the content. Keyword Replacement Finds a keyword in the specified column and replaces it. The deletion desensitization algorithm will set the specified field to Null or empty, Null desensitization will set the field to NULL, and null desensitization will set the field content to empty. Rounding desensitization performs rounding operations on dates or numbers.

This embodiment involves the applicable scenarios of the desensitization algorithm, which are divided into data usage, data sharing, and data storage. Sensitive data uses optional desensitization algorithms such as character masking and rounding desensitization; sensitive data sharing optional desensitization algorithms are character masking, keyword replacement, deletion desensitization and other algorithms; sensitive data storage Optional desensitization The algorithms are HASH desensitization, encryption desensitization, keyword replacement, deletion desensitization, rounding desensitization and other algorithms.

Step 3: Create a data masking task. Based on the data tables involving sensitive fields identified by the AI model, combined with practical applications, identify the tables and fields that need to be desensitized, and create desensitization tasks. During the desensitization process, it is necessary to ensure the normal operation of the upstream and downstream processes, without affecting the normal output and storage of sensitive information that is not desensitized.

Step 4: Execute the desensitization task to complete desensitization of sensitive data.

The data watermarking module automatically adds database watermarks to sensitive data, solving the problems that data leakage is difficult to track and data copyright is difficult to protect in the process of data sharing and exchange. Aiming at the two categories of tuple's numerical attributes (such as age, timestamp) and category attributes (such as ID number, address information, etc.), two watermark embedding methods of numerical attribute and category attribute are adopted. Among them, the numerical attribute embedding method modifies the original numerical value to embed "0" or "1" watermark bits through certain rules. At the same time, in order to ensure that the data is available, the least significant bit algorithm is used for numerical replacement. The category attribute embedding method is not suitable for directly modifying the numerical code, and the "0" and "1" watermark bits are represented by embedding carriage return and line feed at the end of the category attribute value.

(8) The data storage module is configured to perform warehousing and storage operations for automatically encrypted sensitive data; database storage supports multi-site disaster recovery and master-slave switching.

(9) The security audit engine module is configured to discover system violations during or after the event through continuous information collection and analysis.

The security audit engine module includes a log integration unit, an exception detection unit, an automatic alarm unit, and an exception processing unit.

Among them, the log integration unit realizes centralized storage and management of logs in a unified format by collecting log information generated during the operation of the system;

The abnormality detection unit identifies abnormal host status, risky access terminals, abnormal access requests and access traffic by presetting various event association rules;

The automatic alarm unit automatically sends an alarm notification based on the abnormal event identified by the abnormality detection module;

The abnormality processing unit provides corresponding disposal suggestions for the security events monitored by the abnormality detection module.

Embodiment 2

In one or more embodiments, a data security protection method based on the Internet of Things is disclosed. The method is based on the system in the first embodiment, and specifically includes the following processes:

Step 1: The terminal device is registered and authorized, and the terminal digital certificate and device information are obtained;

Step 2: The terminal and the background negotiate and exchange keys to create a TLS1.2 secure channel;

Step 3: The terminal sends the original protocol data traffic on the secure channel, and brings in the terminal certificate and device information for authentication and authorization;

Step 4: When the traffic reaches the background system, the background traffic decryption module decrypts the traffic ciphertext, obtains the original protocol data traffic and terminal certificate and device information, and verifies the identity legitimacy of the IoT terminal based on the digital certificate and terminal device information . When the terminal identity verification fails, the original protocol data traffic will be intercepted, not forwarded to the network packet analysis module, and the exception will be written to the log file; when the terminal identity verification passes, the original protocol data traffic will be protocol decoded, Sensitive data detection and security audit operations.

Wherein, in this embodiment, performing protocol decoding on the original protocol data traffic specifically includes:

Copy all incoming TCP and Http traffic to the mirror server in real time. The analysis module deployed on the mirror server performs protocol decoding on the received data, matches the logic filtering rules for specific business data, and stores the data that conforms to the business rules in the message queue, which cuts the instantaneous traffic peak.

In this embodiment, the sensitive data detection on the original protocol data traffic specifically includes:

Step 1: Obtain IoT terminal device data from the message queue, and perform data preprocessing such as data cleaning, stop word removal, and text standardization;

(1-1) Obtain the raw data of the IoT terminal device from the message queue;

(1-2) Use regular rules to clean the original data, remove useless data, and some symbolic text data, process punctuation marks according to priority, and retain important punctuation marks such as commas and periods.

(1-3) Use the jieba word segmentation method for the IoT terminal device data to obtain the word segmentation text of the IoT terminal device data;

(1-4) Load stop words and custom dictionaries. The custom dictionary consists of different words, which are words that do not want to be separated by the jieba tokenizer.

Step 2: Use the auxiliary data set to train the BERT+BiLSTM+CRF sensitive data recognition model, specifically: the data is obtained through the BERT model to obtain word vectors, and the two-way long and short-term memory neural network is used to learn the context data features for sensitive data recognition, and finally use CRF as a sequence processing.

(2-1) The auxiliary data set is a collection of texts marked with sensitive data such as person names and place names. The auxiliary data set is input into BERT, and BERT outputs word vectors;

(2-2) The word vector in step (2-1) is input to the sensitive data identification algorithm, and the context information is extracted by the BiLSTM algorithm;

(2-3) Use the CRF algorithm to serialize the output of BiLSTM, and combine the state transition matrix to obtain a global optimal sequence.

(2-4) The output of the sensitive data identification algorithm is the predicted entity label and the sensitive data identification model M.

Step 3: Use the word2Vec algorithm to train the model for the IoT terminal device data, and the Word2Vec model after training is called the IoT terminal device data word vectorization model;

(3-1) Use the jieba word segmentation method for the auxiliary data set to obtain the word segmentation text of the auxiliary data set;

(3-2) Load stop words and custom dictionary. The custom dictionary is composed of different words, which are words that do not want to be separated by the jieba tokenizer;

(3-3) Use the auxiliary data set word segmentation text to train the word2Vec model to obtain the auxiliary data word vectorization model, and use the IoT terminal device data word segmentation text in (1-3) to train the word2Vec model to obtain the IoT terminal device data word vector ization model.

Step 4: Calculate and sort the importance of words for the samples in the auxiliary data set, and the first m words form the keyword set of the auxiliary data set; for the samples in the IoT terminal device data set, calculate the importance of words and sort them, and the first m words Constitute a keyword collection of IoT terminal equipment datasets;

(4-1) Calculate the sentence keyword frequency KF _{i,j for the IoT terminal device data, and calculate the sentence keyword frequency KF i,j ′} for the auxiliary data set, wherein the calculation method of the i-th keyword frequency KF _i,j for:

In the formula, KF _i,i represents the frequency of occurrence of keyword i in sentence j, and n _i,j represents the number of times that keyword i appears in sentence j.

(4-2) Calculate the inverse sentence frequency ISF for the auxiliary data set, and calculate the inverse sentence frequency ISF' for the Internet of Things terminal device data;

Among them: SF(Sentence Frequency) represents the sentence frequency, ISF(Inverse SentenceFrequency) represents the inverse sentence frequency, ISF _i represents the inverse sentence frequency of the word i, |S| total number of sentences, |j:t _i ∈ S _j | represents t _i The number of occurrences of ∈S _j , in order to prevent the denominator from becoming zero, resulting in meaninglessness, add 1.

(4-3) Calculate the importance of a certain word i in sentence j for the auxiliary data set, the calculation formula is: I(i,j)=KF _i,j *ISF _i ;

(4-4) Calculate the importance of a certain word i in sentence j for the IoT terminal device data, and the calculation formula is: I(i,j)=KF _i,j ′*ISF _i ′.

Step 5: Calculate the similarity between the auxiliary data keyword set obtained in step 4 and the IoT terminal device data keyword set, and set the keyword set similarity threshold;

用步骤三训练所得的辅助数据词向量化模型计算得到L_word＝{l₁,l₂,…,l_n}；(5-1) Keywords for auxiliary data

Calculate L _word ={l ₁ ,l ₂ ,...,l _n } with the auxiliary data word vectorization model trained in step 3;

用步骤三训练所得的物联网终端设备数据词向量化模型计算得到M_word＝{m₁,m₂,…,m_n}；(5-2) Data keywords for IoT terminal equipment

Calculate M _word ={m ₁ ,m ₂ ,...,m _n } by using the IoT terminal device data word vectorization model trained in step 3;

和

根据余弦相似性计算关键词相似性，计算方式为：

(5-3) pair

and

Calculate the keyword similarity according to the cosine similarity, and the calculation method is:

(5-4) Set the keyword similarity threshold (0.4, 0.6).

Step 6: Calculate the similarity between the sentences in the auxiliary data set and the sentences in the IoT terminal device data set, and set the sentence similarity threshold;

(6-1) For each sentence x _s in the auxiliary data set, use the auxiliary data word vectorization model trained in step 3 to calculate the sentence vector to obtain L _sen ={l ₁ ,l ₂ ,...,l _n };

(6-2) For each sentence x _s in the IoT terminal device data word vectorization model, use the IoT terminal device data word vectorization model trained in step 3 to calculate the sentence vector to obtain M _sen = {m ₁ , m ₂ ,…,m _n };

(6-3) Calculate the sentence-level similarity according to the cosine similarity between L _sen and M _sen , and the calculation method is:

(6-4) Set sentence-level similarity thresholds (0.4, 0.6).

Step 7: Calculate the available value of auxiliary data set samples, and set the available threshold of auxiliary data;

计算样本可用性SU其中α为句子级别相似性所占SU重，β为关键词相似性所占SU重；(7-1) According to sim _sen , sim _word , by

Calculate the sample availability SU where α is the SU weight of sentence-level similarity, and β is the SU weight of keyword similarity;

(7-2) Set the SU threshold (0.4, 0.6).

Step 8: Expand the IoT terminal device dataset with auxiliary dataset samples; use the sensitive data detection model M to identify sensitive data for the expanded IoT terminal device data.

(8-1) According to the keyword similarity threshold, the samples with high keyword similarity in the auxiliary data are extended to the IoT terminal device data sample set;

(8-2) According to the sentence-level similarity threshold, the samples with high sentence similarity in the auxiliary data set are extended to the data samples of IoT terminal equipment;

(8-3) According to the sample availability threshold, extend the samples with high availability of the auxiliary data set into the IoT terminal device data samples, and denote the expanded IoT terminal device data as T;

(8-4) Using the sensitive data detection model M obtained in step 2 for T, the sensitive data contained in the data of the Internet of Things terminal device is obtained.

In this embodiment, the security audit operation is performed on the original protocol data traffic, which specifically includes:

Step 1: Collect the logs generated by the log source to achieve the effect of centralized management and storage of the logs;

Step 2: Carry out correlation analysis through a variety of event correlation rules preset in the engine to realize event monitoring for abnormal host status, risky access terminals, abnormal access requests, and abnormal access traffic;

Step 3: Alarm notification of abnormal events by email, text message, voice, etc.;

Step 4: Appropriate treatment is given to the detected abnormality or security event. For hosts with abnormal status, external access to other systems will be restricted, and at the same time, the cause of the abnormality can be further traced to identify risk access subjects; for risky access terminals, access rights will be restricted until the terminal risk is repaired; for abnormal requests, The request subject will be restricted in access rights; for abnormal access traffic, the access subject will be traced back, and the access rights of the subject will be restricted. In severe cases, the access subject can be banned.

To sum up, when this embodiment is used, the terminal device first performs registration and authorization, obtains the terminal digital certificate and device information, then negotiates and exchanges keys with the background, creates a TLS1. The original protocol data traffic is brought into the terminal certificate and device information for authentication and authorization; when the traffic decryption module reaches the background system, the traffic decryption module decrypts the traffic ciphertext to obtain the original protocol data traffic, terminal certificate and device information, and Verify the identity legitimacy of IoT terminals based on digital certificates and terminal device information. This interaction process ensures that the identity of the IoT terminal is credible, and the traffic data from the terminal is transparently encrypted throughout the process, which greatly improves the security of data traffic. The network packet collection and analysis module performs efficient traffic replication on terminal device traffic data. Based on AI technology, it integrates BERT model bidirectional long-short-term memory neural network and conditional random field algorithm for automatic identification, effectively solving the problems of structured and unstructured in the existing technology. The problem of low detection accuracy of sensitive data of various data types such as The sensitive data automatic encryption module is connected to the physical encryption machine control module, and the data encryption and decryption module, data desensitization module, and data watermark module provided by the physical encryption machine are called to perform encryption and decryption operations, desensitization operations, and encryption operations on the sensitive data produced by the AI model. The watermark operation improves the data security problem when sensitive data is shared, and enhances the traceability when sensitive data is leaked. At the same time, the access control management function of the physical encryption machine ensures the security of key management and management standardization. The traffic analysis, detection, and encryption operation processes involved in the system are transparent to the IoT terminal, which realizes the sensitive data protection effect without the terminal perception.

Although the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, they do not limit the scope of protection of the present invention. Those skilled in the art should understand that on the basis of the technical solutions of the present invention, those skilled in the art do not need to pay creative efforts. Various modifications or deformations that can be made are still within the protection scope of the present invention.

Claims (10)

1. a data security protection system based on the Internet of Things, is characterized in that, comprises: The IoT terminal identity authentication module is configured for registration and authorization of terminal devices to obtain terminal digital certificates and device information; The terminal network traffic encryption module is configured to establish a secure encrypted channel through key negotiation, send the terminal original protocol data traffic based on the secure encrypted channel, and bring in the terminal certificate and device information for authentication and authorization; The background traffic decryption module is configured to decrypt the ciphertext of the original protocol data traffic of the terminal to obtain the original protocol data traffic; The background identity authentication module is configured to obtain the terminal certificate and device information in the traffic, and verify the identity legitimacy of the IoT terminal based on the digital certificate and the terminal device information; The traffic protocol analysis module is configured to copy all the received TCP and Http traffic to the mirror server in real time; the mirror server performs protocol decoding on the received data, and stores the data that conforms to the business rules based on logical filtering rules to the mirror server. Message queue, which is used for peak clipping of instantaneous traffic; A sensitive data detection module, configured to detect sensitive data in the instantaneous traffic after peak clipping; The physical encryption machine control module is configured to realize automatic encryption and decryption of sensitive data, rights management, data desensitization and data watermark function control. 2. A kind of data security protection system based on Internet of Things as claimed in claim 1, is characterized in that, also comprises: A data storage module, configured to perform an inbound storage operation for automatically encrypted sensitive data; The security audit engine module is configured to detect system violations during or after the event through continuous information collection and analysis. 3. a kind of data security protection system based on Internet of Things as claimed in claim 1, is characterized in that, described data watermark function is as follows: The numerical attribute watermark embedding method and the category attribute watermark embedding method are used to automatically add database watermarks to different sensitive data; wherein, the numerical attribute watermark embedding method modifies the original numerical value and embeds "0" or "1" watermark bits; the category attribute watermark The embedding method embeds carriage return and line feed at the end of the category attribute value to represent "0" and "1" watermark bits. 4. The data security protection system based on the Internet of Things as claimed in claim 1, wherein the security audit engine module comprises: The log integration unit is used to centrally store and manage logs in a unified format by collecting log information generated during system operation; The abnormality detection unit is used to identify abnormal host status, risky access terminals, abnormal access requests and access traffic by presetting various event association rules; The automatic alarm unit is used to automatically send an alarm notification to the identified abnormal events; The exception handling unit is used to give corresponding handling suggestions to the monitored security events. 5. A data security protection method based on the Internet of Things, characterized in that, comprising: Register and authorize terminal devices, and obtain terminal digital certificates and device information; Perform key negotiation and key exchange between the terminal device and the background, and create a TLS1.2 secure channel; The terminal device sends the original protocol data traffic in the secure channel, and brings in the terminal certificate and device information for authentication and authorization; When the traffic reaches the background system, decrypt the traffic ciphertext, obtain the original protocol data traffic and terminal certificate and device information, and verify the identity legitimacy of the IoT terminal based on the digital certificate and terminal device information; When the terminal identity verification fails, the original protocol data traffic will be intercepted, not forwarded to the network packet analysis module, and the exception will be written to the log file; when the terminal identity verification passes, the original protocol data traffic will be protocol decoded, Sensitive data detection and security audit operations. 6. a kind of data security protection method based on Internet of Things as claimed in claim 5, is characterized in that, carries out protocol decoding to original protocol data flow, specifically comprises: Collect the full amount of data packets on the server in real time, and copy all the received traffic to the mirror server; The analysis module deployed on the mirror server performs TCP and HTTP protocol decoding on the received data, matches logical filtering rules for specific business data, filters out data that does not match the rules, and stores the data that conforms to the business rules in the message queue. 7. A kind of data security protection method based on Internet of Things as claimed in claim 5, is characterized in that, carries out sensitive data detection to original protocol data flow, specifically comprises: Obtain the IoT terminal device data from the message queue, perform data cleaning, stop word removal, and text normalization data preprocessing on the data to obtain the IoT terminal device dataset; Obtain a text set marked with sensitive data as an auxiliary data set; For the samples in the auxiliary data set, the importance of words is calculated and sorted, and the first m words form the keyword set of the auxiliary data set; for the samples in the IoT terminal device data set, the importance of words is calculated and sorted, and the first m words form the Internet of Things Terminal equipment dataset keyword collection; Calculate the similarity between the auxiliary data keyword set and the IoT terminal device data keyword set, and calculate the similarity between the auxiliary data set sentence and the IoT terminal device data set sentence; Extend the auxiliary data keywords and auxiliary data set sentence samples whose similarity is higher than the set threshold into the IoT terminal device data set samples; Use the trained sensitive data detection model to expand the IoT terminal device data set to identify sensitive data; wherein, the sensitive data detection model obtains word vectors from the data through the BERT model, and learns contextual data features through a bidirectional long-short-term memory neural network. Data identification, and finally use CRF for serialization. 8. A kind of data security protection method based on Internet of Things as claimed in claim 7, it is characterized in that, to the sample in the auxiliary data set and the sample in the Internet of Things terminal equipment data set, calculate the importance of words and sort, specifically include: Calculate sentence keyword frequency and inverse sentence frequency for IoT terminal device data; Calculate the sentence keyword frequency and anti-sentence frequency for the auxiliary data set; The importance of a word i in sentence j in the auxiliary data set and the importance of a word i in sentence j in the IoT terminal device data are obtained based on the frequency of sentence keywords and the frequency of inverse sentences. 9. A kind of data security protection method based on Internet of Things as claimed in claim 5, is characterized in that, carries out security auditing operation to original protocol data flow, specifically comprises: Collect logs generated by log sources; Perform correlation analysis through a variety of preset event correlation rules to monitor abnormal host status, risky access terminals, abnormal access requests, and abnormal access traffic events; and alarm notifications for abnormal events; Appropriate treatment shall be given to the detected abnormality or security event. 10 . The data security protection method based on the Internet of Things according to claim 5 , wherein, the abnormality or security event detected is given corresponding treatment, which specifically includes: 10 . For hosts with abnormal status, restrict external access to other systems, trace the cause of the abnormality, and identify risk access subjects; For risky access endpoints, restrict access until the endpoint risk is fixed; For abnormal requests, restrict the access rights of the request subject; For abnormal access traffic, trace the access subject, and restrict or block the access rights of the subject.

Images