[go: up one dir, main page]

TWI889560B - Internet of things information security detection method and internet of things information security detection system - Google Patents

Internet of things information security detection method and internet of things information security detection system Download PDF

Info

Publication number
TWI889560B
TWI889560B TW113137359A TW113137359A TWI889560B TW I889560 B TWI889560 B TW I889560B TW 113137359 A TW113137359 A TW 113137359A TW 113137359 A TW113137359 A TW 113137359A TW I889560 B TWI889560 B TW I889560B
Authority
TW
Taiwan
Prior art keywords
test
information
question
data
information security
Prior art date
Application number
TW113137359A
Other languages
Chinese (zh)
Inventor
林宗億
徐漢宏
Original Assignee
耀睿科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 耀睿科技股份有限公司 filed Critical 耀睿科技股份有限公司
Priority to TW113137359A priority Critical patent/TWI889560B/en
Application granted granted Critical
Publication of TWI889560B publication Critical patent/TWI889560B/en

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An internet of things information security detection method and internet of things information security detection system are provided. The information security detection method includes the following steps: loading standard regulatory information, where the standard regulatory information contains multiple requirement conditions, multiple test items, and multiple compliance data; inputting specification information; using the multiple requirement conditions to compare with the specification information to output the corresponding test items; establishing a testing checklist through the outputted multiple test items; loading self-declaration information containing declaration data; generating test scenarios based on the testing checklist; inputting the declaration data into the test scenarios for issue verification to determine if there is a question-answer correlation; generating corrective feedback if the question-answer correlation does not exist; sending the corrective feedback to the correction end to modify the declaration data; and when the question-answer correlation exists, inputting the declaration data into the test scenarios for compliance verification to determine if the declaration data meets the corresponding compliance data.

Description

物聯網資安檢測方法及物聯網資安檢測系統Internet of Things Information Security Detection Method and Internet of Things Information Security Detection System

本發明涉及一種檢測方法,尤其涉及一種物聯網資安檢測方法及物聯網資安檢測系統。The present invention relates to a detection method, and more particularly to an Internet of Things information security detection method and an Internet of Things information security detection system.

為了確保物聯網設備的資訊安全,因此物聯網設備會通過資安法規(例如:EN303645、CNS16190)來進行檢驗。然而,現有檢測方法是通過人工方式來對物聯網設備進行選擇與判讀,從而針對物聯網設備提供資訊安全的報告,但這樣耗時且人力成本高。In order to ensure the information security of IoT devices, IoT devices will be inspected by information security regulations (such as EN303645, CNS16190). However, the existing inspection method is to select and interpret IoT devices manually to provide information security reports for IoT devices, but this is time-consuming and labor-intensive.

於是,本發明人認為上述缺陷可改善,乃特潛心研究並配合科學原理的運用,終於提出一種設計合理且有效改善上述缺陷的本發明。Therefore, the inventors of the present invention believe that the above defects can be improved, and have conducted intensive research and applied scientific principles to finally propose the present invention which has a reasonable design and effectively improves the above defects.

本發明所要解決的技術問題在於,針對現有技術的不足提供一種物聯網資安檢測方法及物聯網資安檢測系統。The technical problem to be solved by the present invention is to provide an Internet of Things information security detection method and an Internet of Things information security detection system in view of the deficiencies of the existing technology.

本發明實施例公開一種物聯網資安檢測方法,應用於一檢測系統以用來檢測一待檢測設備,所述資安檢測方法包括以下步驟:載入一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據;輸入所述待檢測設備的一規格資訊;利用多個所述條件要求比對所述規格資訊,以輸出對應的所述測試項目;通過被輸出的多個所述測試項目建立具有至少一所述測試項目的一檢測清單;載入一自我聲明資訊,所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據;利用一大語言模型(LLM)依據所述檢測清單生成一測試情境;利用所述大語言模型將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性;於所述問答關聯性不存在時產生一修正回饋;傳送所述修正回饋至一修正端,使所述修正端對所述聲明數據進行修正;以及於所述問答關聯性存在時,利用所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。The present invention discloses an Internet of Things information security detection method, which is applied to a detection system to detect a device to be detected. The information security detection method includes the following steps: loading a standard regulatory information, wherein the standard regulatory information has multiple condition requirements, multiple test items corresponding to the multiple condition requirements, and multiple compliance data matching the multiple test items; inputting a specification information of the device to be detected; using the multiple condition requirements to compare the specification information to output the corresponding test items; establishing a detection list having at least one test item through the output multiple test items; loading a self-declaration information, wherein the self-declaration information has a corresponding test item in the detection list; a statement data of the test item of the test item; using a large language model (LLM) to generate a test scenario according to the detection list; using the large language model to bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario; generating a correction feedback when the question-answer relationship does not exist; transmitting the correction feedback to a correction end so that the correction end corrects the statement data; and when the question-answer relationship exists, using the large language model to bring the statement data into the test scenario for a compliance verification to determine whether the statement data in the test scenario conforms to the corresponding compliance data.

本發明實施例還公開一種物聯網資安檢測系統,用來檢測一待檢測設備,所述資安檢測系統包括:一資料庫,包含一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據;一前端介面能輸入一自我聲明資訊、以及對應所述待檢測設備的一規格資訊;一伺服器,連接所述資料庫及所述前端介面,所述伺服器利用多個所述條件要求比對所述規格資訊以輸出對應的所述測試項目至所述前端介面,使所述前端介面能被操作以建立具有至少一所述測試項目的一檢測清單,並且所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據;以及一大語言模型,連接所述伺服器,所述大語言模型能依據所述檢測清單生成一測試情境,並且將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性;當所述問答關聯性不存在時,所述大語言模型產生一修正回饋以傳送至一修正端,使所述修正端對所述聲明數據進行修正;當所述問答關聯性存在時,所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。The embodiment of the present invention also discloses an Internet of Things information security detection system for detecting a device to be detected, the information security detection system comprising: a database, including standard regulatory information, the standard regulatory information having a plurality of condition requirements, a plurality of test items corresponding to the plurality of condition requirements, and a plurality of compliance data matching the plurality of test items; a front-end interface capable of inputting a self-declaration information and a specification information corresponding to the device to be detected; a server connected to the database and the front-end interface, the server using a plurality of the condition requirements to compare the specification information to output the corresponding test items to the front-end interface, so that the front-end interface can be operated to establish a detection list having at least one test item, and the self-declaration The information has a statement data corresponding to the test item in the detection list; and a large language model connected to the server, the large language model can generate a test scenario according to the detection list, and bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario; when the question-answer relationship does not exist, the large language model generates a correction feedback to be transmitted to a correction end, so that the correction end corrects the statement data; when the question-answer relationship exists, the large language model brings the statement data into the test scenario for a compliance verification to determine whether the statement data in the test scenario conforms to the corresponding compliance data.

綜上所述,本發明實施例所公開的物聯網資安檢測方法及物聯網資安檢測系統,能通過“利用所述大語言模型將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性”及“利用所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據”的設計,所述物聯網資安檢測方法及物聯網資安檢測系統能不通過人力即可確認所述待檢測設備是否符合資安法規。In summary, the IoT information security detection method and IoT information security detection system disclosed in the embodiments of the present invention can "use the large language model to bring the statement data into the test scenario to perform a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario" and "use the large language model to bring the statement data into the test scenario to perform a compliance verification to determine whether the statement data in the test scenario complies with the corresponding compliance data". The IoT information security detection method and IoT information security detection system can confirm whether the device to be tested complies with information security regulations without manpower.

為使能更進一步瞭解本發明的特徵及技術內容,請參閱以下有關本發明的詳細說明與圖式,然而所提供的圖式僅用於提供參考與說明,並非用來對本發明加以限制。To further understand the features and technical contents of the present invention, please refer to the following detailed description and drawings of the present invention. However, the drawings provided are only used for reference and description and are not used to limit the present invention.

以下是通過特定的具體實施例來說明本發明所公開有關“物聯網資安檢測方法及物聯網資安檢測系統”的實施方式,本領域技術人員可由本說明書所公開的內容瞭解本發明的優點與效果。本發明可通過其他不同的具體實施例加以施行或應用,本說明書中的各項細節也可基於不同觀點與應用,在不悖離本發明的構思下進行各種修改與變更。另外,本發明的附圖僅為簡單示意說明,並非依實際尺寸的描繪,事先聲明。以下的實施方式將進一步詳細說明本發明的相關技術內容,但所公開的內容並非用以限制本發明的保護範圍。The following is an explanation of the implementation of the "Internet of Things Information Security Detection Method and Internet of Things Information Security Detection System" disclosed in the present invention through specific concrete embodiments. Technical personnel in this field can understand the advantages and effects of the present invention from the content disclosed in this manual. The present invention can be implemented or applied through other different specific embodiments, and the details in this manual can also be modified and changed in various ways based on different viewpoints and applications without deviating from the concept of the present invention. In addition, the drawings of the present invention are only simple schematic illustrations and are not depicted in actual size. Please note in advance. The following implementation will further explain the relevant technical content of the present invention in detail, but the disclosed content is not intended to limit the scope of protection of the present invention.

應當可以理解的是,雖然本文中可能會使用到“第一”、“第二”、“第三”等術語來描述各種元件或者訊號,但這些元件或者訊號不應受這些術語的限制。這些術語主要是用以區分一元件與另一元件,或者一訊號與另一訊號。另外,本文中所使用的術語“或”,應視實際情況可能包括相關聯的列出項目中的任一個或者多個的組合。It should be understood that, although the terms "first", "second", "third", etc. may be used in this document to describe various components or signals, these components or signals should not be limited by these terms. These terms are mainly used to distinguish one component from another component, or one signal from another signal. In addition, the term "or" used in this document may include any one or more combinations of the related listed items depending on the actual situation.

另外,於以下說明中,如有指出請參閱特定圖式或是如特定圖式所示,其僅是用以強調於後續說明中,所述的相關內容大部份出現於該特定圖式中,但不限制該後續說明中僅可參考所述特定圖式。In addition, in the following description, if it is indicated to refer to a specific figure or as shown in a specific figure, it is only used to emphasize that most of the related content described in the subsequent description appears in the specific figure, but it does not limit the subsequent description to only refer to the specific figure.

[第一實施例][First embodiment]

參閱圖1所示,本實施例提供一種物聯網資安檢測方法,所述物聯網資安檢測方法應用於一檢測系統(例如:第二實施例的物聯網資安檢測系統)。所述物聯網資安檢測方法能用來檢測一待檢測設備(未繪示),並且所述待檢測設備於檢測過程中是通過一大語言模型(LLM)來進行,即可確認所述待檢測設備是否符合資訊安全的規定。其中,所述物聯網資安檢測方法於本實施例中包含步驟S101~S119,但本發明不以此為限制。於實務上,所述物聯網資安檢測方法可以視情況增加或調整步驟。接著,以下介紹所述物聯網資安檢測方法的各步驟。Referring to FIG. 1 , this embodiment provides an Internet of Things information security detection method, which is applied to a detection system (for example, the Internet of Things information security detection system of the second embodiment). The Internet of Things information security detection method can be used to detect a device to be detected (not shown), and the device to be detected is detected through a large language model (LLM) during the detection process, so as to confirm whether the device to be detected complies with information security regulations. Among them, the Internet of Things information security detection method includes steps S101 to S119 in this embodiment, but the present invention is not limited to this. In practice, the Internet of Things information security detection method can add or adjust steps as appropriate. Next, the steps of the Internet of Things information security detection method are introduced below.

步驟S101:載入一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據。Step S101: loading a standard regulatory information, wherein the standard regulatory information has a plurality of condition requirements, a plurality of test items corresponding to the plurality of condition requirements, and a plurality of compliance data matching the plurality of test items.

其中,所述標準法規資訊是指關於資訊安全的法規資訊,舉例來說,中華民國國家標準出版的“消費者物聯網之網宇安全:基準要求事項”(編號CNS16190)。此外,各所述條件要求是指於法規資訊中被定義的基準條件,並且各所述基準條件具有對應的一檢測事項(即,所述測試項目)。各所述合規數據是指用來驗證所述測試項目是否符合規定的具體數據。當然,所述標準法規資訊於實務上也可以是選用EN303645,本發明於此不特別限制所述標準法規資訊的使用。Among them, the standard regulatory information refers to regulatory information about information security, for example, "Cyber Security of Consumer Internet of Things: Benchmark Requirements" (No. CNS16190) published by the National Standards of the Republic of China. In addition, each of the condition requirements refers to a benchmark condition defined in the regulatory information, and each of the benchmark conditions has a corresponding test item (i.e., the test item). Each of the compliance data refers to specific data used to verify whether the test item complies with the regulations. Of course, the standard regulatory information can also be EN303645 in practice, and the present invention does not particularly limit the use of the standard regulatory information.

步驟S103:輸入所述待檢測設備的一規格資訊。舉例來說,所述規格資訊可以例如是「具備身份驗證機制」。Step S103: Input specification information of the device to be tested. For example, the specification information may be "having identity verification mechanism".

步驟S105:利用多個所述條件要求比對所述規格資訊,以輸出對應的所述測試項目。舉例來說,所述規格資訊記載所述待測設備具有A功能、B功能、及C功能,所以,被輸出的多個所述測試項目是分別對應A功能、B功能、及C功能。Step S105: Use the multiple condition requirements to compare the specification information to output the corresponding test items. For example, the specification information records that the device under test has function A, function B, and function C, so the multiple test items outputted correspond to function A, function B, and function C respectively.

步驟S107:通過被輸出的多個所述測試項目建立具有至少一所述測試項目的一檢測清單。需說明的是,多個所述測試項目於實務上是包含必要性測試項目、建議性測試項目、及有條件性測試項目,所以所述檢測清單可以是包含至少一個所述測試項目。Step S107: Create a test list having at least one test item through the outputted multiple test items. It should be noted that the multiple test items actually include necessary test items, recommended test items, and conditional test items, so the test list may include at least one test item.

舉例來說,被輸出的多個所述測試項目分別對應為必要性的A功能、建議性的B功能、與有條件性的C功能,因此所述檢測清單內的所述測試項目勢必會有一個對應A功能,對應為建議性B功能的所述測試項目則依據人員的選擇,對應為有條件性C功能的所述測試項目則依據「條件被滿足」而被系統做選擇。For example, the multiple test items outputted correspond to necessary function A, recommended function B, and conditional function C respectively. Therefore, there must be one test item in the inspection list that corresponds to function A, the test item that corresponds to recommended function B is selected by the personnel, and the test item that corresponds to conditional function C is selected by the system based on "conditions being met".

步驟S109:載入一自我聲明資訊,所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據。Step S109: Load a self-declaration information, wherein the self-declaration information has declaration data corresponding to the test item in the test list.

於實務上,所述待檢測設備的供應人員會上傳一份自我聲明書(即,所述自我聲明資訊),並且所述自我聲明書會針對所述檢測清單內各所述測試項目進行聲明。In practice, the supplier of the equipment to be tested will upload a self-declaration (i.e., the self-declaration information), and the self-declaration will declare each of the test items in the test list.

步驟S111:利用一大語言模型(LLM)依據所述檢測清單生成一測試情境。Step S111: Generate a test scenario according to the test list using a large language model (LLM).

步驟S113:利用所述大語言模型將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性。Step S113: Using the large language model to bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario.

舉例來說,所述測試項目為:「如果使用密碼並且處於出廠預設設置以外的任何狀態,則所有消費者物聯網設備密碼應為每個設備獨有的或由用戶定義」,所述大語言模型會依據所述測試項目的語意建立為:「當使用密碼且處於出廠預設值(例如「admin」)以外的任何狀態時,所有消費者物聯網裝置密碼應符合下列其中一項:(一)每個設備都是唯一的;(二)由使用者定義,請詳細說明密碼是如何建立的」的測試情境。For example, if the test item is: "If a password is used and is in any state other than the factory default setting, all consumer IoT device passwords should be unique to each device or defined by the user", the large language model will be established according to the semantics of the test item as: "When a password is used and is in any state other than the factory default value (such as "admin"), all consumer IoT device passwords should meet one of the following conditions: (a) Each device is unique; (b) Defined by the user, please explain in detail how the password is established." Test scenario.

假設所述聲明數據為:「使用者密碼透過wizard由使用者設定且與MAC Address/SN無相關性,且無法反算或暴力計算」,所述大語言模型能導入所述聲明數據至所述測試情境中進行語意關係判斷,從而確定所述聲明數據是否回應所述測試情境之問題(即,所述問答關聯性)。Assuming that the statement data is: "The user password is set by the user through the wizard and has no correlation with the MAC Address/SN, and cannot be reversed or brute-force calculated", the large language model can import the statement data into the test scenario to perform semantic relationship judgment, thereby determining whether the statement data responds to the question of the test scenario (i.e., the question-answer relevance).

值得注意的是,為了確保所述大語言模型能準確地進行所述問題驗證,本發明的所述物聯網資安檢測方法可以利用為關聯於批判角度的一提示詞對所述大語言模型要求進行所述問題驗證。It is worth noting that in order to ensure that the large language model can accurately perform the problem verification, the IoT information security detection method of the present invention can utilize a prompt word related to the critical perspective to require the large language model to perform the problem verification.

舉例來說,以Python程式語言對所述大語言模型來說,可以是以下列代碼方式來實現:「merged_data = "用一個批判的角度去判斷這個測試項目,問題是:" + str(TestCase.question) + "\n\n答案是:" + str(TestCase.answer) + "\n\n理由:" + "\n結果:\n只需要回答通過或不通過不用其他的說明"」,其中,TestCase.question為所述測試情境,TestCase.answer為所述聲明數據。For example, using Python programming language for the large language model, it can be implemented in the following code: "merged_data = "Use a critical perspective to judge this test item. The question is: " + str(TestCase.question) + "\n\nThe answer is: " + str(TestCase.answer) + "\n\nReason: " + "\nResult: \nOnly answer pass or fail without other explanations"", where TestCase.question is the test scenario and TestCase.answer is the statement data.

步驟S115:於所述問答關聯性不存在時產生一修正回饋。Step S115: generating a correction feedback when the question-answer correlation does not exist.

步驟S117:傳送所述修正回饋至一修正端,使所述修正端對所述聲明數據進行修正。其中,當所述聲明數據被修正後,再次執行步驟S113。Step S117: Send the correction feedback to a correction end so that the correction end corrects the declaration data. After the declaration data is corrected, step S113 is executed again.

舉例來說,當所述聲明數據的語意無關於所述測試情境的問題(即,所述聲明數據相對於所述測試項目發生答非所問之情形),所述修正端被發出,使人員依據對應所述測試項目的所述聲明數據進行修正,直至所述聲明數據的語意與所述測試情境的問題產生所述問答關聯性。For example, when the semantics of the statement data are irrelevant to the question of the test scenario (i.e., the statement data does not answer the question in relation to the test item), the correction terminal is issued, allowing the personnel to correct the statement data corresponding to the test item until the semantics of the statement data have the question-answer correlation with the question of the test scenario.

步驟S119:於所述問答關聯性存在時,利用所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。Step S119: When the question-answer correlation exists, the large language model is used to bring the statement data into the test scenario for a compliance verification to determine whether the statement data complies with the corresponding compliance data in the test scenario.

也就是說,當所述聲明數據的語意與所述測試情境的問題產生所述問答關聯性時,所述大語言模型會再次判讀所述聲明數據的語意在所述測試情境的問題依據所述合規數據是否正確。That is, when the semantics of the statement data and the question in the test scenario generate the question-answer correlation, the large language model will again judge whether the semantics of the statement data is correct in the question in the test scenario based on the compliance data.

於實務上,完成步驟S119時,所述物聯網資安檢測方法能輸出所述待檢測設備於所述標準法規資訊下的檢測報告。In practice, when step S119 is completed, the IoT information security detection method can output a detection report of the device to be detected under the standard regulatory information.

[第二實施例][Second embodiment]

參閱圖2所示,本實施例提供一種物聯網資安檢測系統100,所述物聯網資安檢測系統100是採用或執行第一實施例的所述物聯網資安檢測方法。因此,所述物聯網資安檢測系統100各元件關聯於所述物聯網資安檢測方法的細節則不特別贅述。Referring to FIG. 2 , this embodiment provides an IoT information security detection system 100, which adopts or implements the IoT information security detection method of the first embodiment. Therefore, the details of each component of the IoT information security detection system 100 related to the IoT information security detection method are not particularly elaborated.

其中,所述物聯網資安檢測系統100包含一資料庫1、一前端介面2、連接所述資料庫1及所述前端介面2的一伺服器3、以及一大語言模型4。接著,以下介紹所述物聯網資安檢測系統100的各元件及其連接關係。The IoT information security detection system 100 includes a database 1, a front-end interface 2, a server 3 connected to the database 1 and the front-end interface 2, and a large language model 4. Next, the components of the IoT information security detection system 100 and their connection relationships are introduced below.

所述資料庫1包含一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據。於實務上,所述標準法規資訊可以是預先儲存、或是即時地由雲端取得,並且所述標準法規資訊不限於單一特定來源。The database 1 includes standard regulatory information, which has multiple condition requirements, multiple test items corresponding to the multiple condition requirements, and multiple compliance data matching the multiple test items. In practice, the standard regulatory information can be pre-stored or obtained from the cloud in real time, and the standard regulatory information is not limited to a single specific source.

所述前端介面2能輸入一自我聲明資訊、以及對應所述待檢測設備的一規格資訊。其中,所述前端介面2可以是通過電腦設備或其他電子裝置使用,但本發明不以此為限制。The front-end interface 2 can input a self-declaration information and a specification information corresponding to the device to be tested. The front-end interface 2 can be used through a computer device or other electronic device, but the present invention is not limited thereto.

所述伺服器3利用多個所述條件要求比對所述規格資訊以輸出對應的所述測試項目至所述前端介面,使所述前端介面能被操作以建立具有至少一所述測試項目的一檢測清單,並且所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據。The server 3 uses a plurality of the condition requirements to match the specification information to output the corresponding test items to the front-end interface, so that the front-end interface can be operated to establish a test list having at least one test item, and the self-declaration information has declaration data corresponding to the test item in the test list.

所述大語言模型4能依據所述檢測清單生成一測試情境,並且將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性。The large language model 4 can generate a test scenario according to the test list, and bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario.

當所述問答關聯性不存在時,所述大語言模型4產生一修正回饋以傳送至一修正端(例如:所述前端介面2),使所述修正端對所述聲明數據進行修正。When the question-answer correlation does not exist, the large language model 4 generates a correction feedback to be transmitted to a correction end (eg, the front-end interface 2 ) so that the correction end corrects the statement data.

當所述問答關聯性存在時,所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。When the question-answer correlation exists, the large language model brings the statement data into the test scenario for compliance verification to determine whether the statement data complies with the corresponding compliance data in the test scenario.

[本發明實施例的技術效果][Technical Effects of the Embodiments of the Invention]

綜上所述,本發明實施例所公開的物聯網資安檢測方法及物聯網資安檢測系統,能通過“利用所述大語言模型將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性”及“利用所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據”的設計,所述物聯網資安檢測方法及物聯網資安檢測系統能不通過人力即可確認所述待檢測設備是否符合資安法規。In summary, the IoT information security detection method and IoT information security detection system disclosed in the embodiments of the present invention can "use the large language model to bring the statement data into the test scenario to perform a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario" and "use the large language model to bring the statement data into the test scenario to perform a compliance verification to determine whether the statement data in the test scenario complies with the corresponding compliance data". The IoT information security detection method and IoT information security detection system can confirm whether the device to be tested complies with information security regulations without manpower.

以上所公開的內容僅為本發明的優選可行實施例,並非因此侷限本發明的申請專利範圍,所以凡是運用本發明說明書及圖式內容所做的等效技術變化,均包含於本發明的申請專利範圍內。The contents disclosed above are only preferred feasible embodiments of the present invention and are not intended to limit the scope of the patent application of the present invention. Therefore, all equivalent technical changes made using the contents of the specification and drawings of the present invention are included in the scope of the patent application of the present invention.

S101~S119:步驟 100:物聯網資安檢測系統 1:資料庫 2:前端介面 3:伺服器 4:大語言模型S101~S119: Steps 100: IoT security detection system 1: Database 2: Front-end interface 3: Server 4: Large language model

圖1為本發明的第一實施例的物聯網資安檢測方法的步驟流程示意圖。FIG. 1 is a schematic diagram of the steps of the IoT information security detection method according to the first embodiment of the present invention.

圖2為本發明的第二實施例的物聯網資安檢測系統的電路方塊示意圖。FIG. 2 is a circuit block diagram of an IoT information security detection system according to a second embodiment of the present invention.

S101~S119:步驟 S101~S119: Steps

Claims (4)

一種物聯網資安檢測方法,應用於一檢測系統以用來檢測一待檢測設備,所述資安檢測方法包括以下步驟: 載入一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據; 輸入所述待檢測設備的一規格資訊; 利用多個所述條件要求比對所述規格資訊,以輸出對應的所述測試項目; 通過被輸出的多個所述測試項目建立具有至少一所述測試項目的一檢測清單; 載入一自我聲明資訊,所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據; 利用一大語言模型(LLM)依據所述檢測清單生成一測試情境; 利用所述大語言模型將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性; 於所述問答關聯性不存在時產生一修正回饋; 傳送所述修正回饋至一修正端,使所述修正端對所述聲明數據進行修正;以及 於所述問答關聯性存在時,利用所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。 A method for detecting information security of the Internet of Things is applied to a detection system to detect a device to be detected, and the method comprises the following steps: Loading a standard regulatory information, the standard regulatory information having a plurality of condition requirements, a plurality of test items corresponding to the plurality of condition requirements, and a plurality of compliance data matching the plurality of test items; Inputting a specification information of the device to be detected; Using the plurality of condition requirements to compare the specification information to output the corresponding test items; Establishing a detection list having at least one test item through the outputted plurality of test items; Loading a self-declaration information, the self-declaration information having a declaration data corresponding to the test item in the detection list; Using a large language model (LLM) to generate a test scenario according to the detection list; Using the large language model to bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario; generating a correction feedback when the question-answer relationship does not exist; transmitting the correction feedback to a correction end so that the correction end corrects the statement data; and when the question-answer relationship exists, using the large language model to bring the statement data into the test scenario for a compliance verification to determine whether the statement data in the test scenario complies with the corresponding compliance data. 如請求項1所述的物聯網資安檢測方法,其中,利用為關聯於批判角度的一提示詞對所述大語言模型要求進行所述問題驗證。The Internet of Things information security detection method as described in claim 1, wherein the problem verification is performed on the large language model using a prompt word related to a critical perspective. 一種物聯網資安檢測系統,用來檢測一待檢測設備,所述資安檢測系統包括: 一資料庫,包含一標準法規資訊,所述標準法規資訊具有多個條件要求、對應多個所述條件要求的多個測試項目、以及匹配多個所述測試項目的多個合規數據; 一前端介面,能輸入一自我聲明資訊、以及對應所述待檢測設備的一規格資訊; 一伺服器,連接所述資料庫及所述前端介面,所述伺服器利用多個所述條件要求比對所述規格資訊以輸出對應的所述測試項目至所述前端介面,使所述前端介面能被操作以建立具有至少一所述測試項目的一檢測清單,並且所述自我聲明資訊具有對應於所述檢測清單中的所述測試項目的一聲明數據;以及 一大語言模型,連接所述伺服器,所述大語言模型能依據所述檢測清單生成一測試情境,並且將所述聲明數據帶入所述測試情境進行一問題驗證,以確定所述聲明數據與所述測試情境之間是否存在一問答關聯性; 當所述問答關聯性不存在時,所述大語言模型產生一修正回饋以傳送至一修正端,使所述修正端對所述聲明數據進行修正; 當所述問答關聯性存在時,所述大語言模型將所述聲明數據帶入所述測試情境進行一合規驗證,以確定所述聲明數據於所述測試情境中是否符合對應的所述合規數據。 An Internet of Things information security detection system is used to detect a device to be detected, and the information security detection system includes: A database, including a standard regulatory information, the standard regulatory information has multiple condition requirements, multiple test items corresponding to the multiple condition requirements, and multiple compliance data matching the multiple test items; A front-end interface, which can input a self-declaration information and a specification information corresponding to the device to be detected; A server, connected to the database and the front-end interface, the server uses the multiple condition requirements to compare the specification information to output the corresponding test items to the front-end interface, so that the front-end interface can be operated to establish a detection list with at least one test item, and the self-declaration information has a declaration data corresponding to the test item in the detection list; and A large language model is connected to the server. The large language model can generate a test scenario according to the test list, and bring the statement data into the test scenario for a question verification to determine whether there is a question-answer relationship between the statement data and the test scenario; When the question-answer relationship does not exist, the large language model generates a correction feedback to be transmitted to a correction end, so that the correction end corrects the statement data; When the question-answer relationship exists, the large language model brings the statement data into the test scenario for a compliance verification to determine whether the statement data in the test scenario conforms to the corresponding compliance data. 如請求項3所述的物聯網資安檢測系統,其中,所述大語言模型依據關聯於批判角度的一提示詞進行所述問題驗證。An Internet of Things information security detection system as described in claim 3, wherein the large language model performs the problem verification based on a prompt word related to a critical perspective.
TW113137359A 2024-09-30 2024-09-30 Internet of things information security detection method and internet of things information security detection system TWI889560B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW113137359A TWI889560B (en) 2024-09-30 2024-09-30 Internet of things information security detection method and internet of things information security detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW113137359A TWI889560B (en) 2024-09-30 2024-09-30 Internet of things information security detection method and internet of things information security detection system

Publications (1)

Publication Number Publication Date
TWI889560B true TWI889560B (en) 2025-07-01

Family

ID=97227894

Family Applications (1)

Application Number Title Priority Date Filing Date
TW113137359A TWI889560B (en) 2024-09-30 2024-09-30 Internet of things information security detection method and internet of things information security detection system

Country Status (1)

Country Link
TW (1) TWI889560B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10402546B1 (en) * 2011-10-11 2019-09-03 Citrix Systems, Inc. Secure execution of enterprise applications on mobile devices
CN113302638A (en) * 2018-10-29 2021-08-24 强力交易投资组合2018有限公司 Method and system for improving machines and systems for automatically performing distributed ledger and other transactions in spot and forward markets for energy, computing, storage, and other resources
TW202305633A (en) * 2021-07-20 2023-02-01 奧義智慧科技股份有限公司 Log categorization device and related computer program product with adaptive clustering function

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10402546B1 (en) * 2011-10-11 2019-09-03 Citrix Systems, Inc. Secure execution of enterprise applications on mobile devices
CN113302638A (en) * 2018-10-29 2021-08-24 强力交易投资组合2018有限公司 Method and system for improving machines and systems for automatically performing distributed ledger and other transactions in spot and forward markets for energy, computing, storage, and other resources
TW202305633A (en) * 2021-07-20 2023-02-01 奧義智慧科技股份有限公司 Log categorization device and related computer program product with adaptive clustering function
TW202305632A (en) * 2021-07-20 2023-02-01 奧義智慧科技股份有限公司 Security event analysis system and related computer program product for auxiliary intrusion detection

Similar Documents

Publication Publication Date Title
CN107657177B (en) Vulnerability detection method and device
Rahman et al. Share, but be aware: Security smells in python gists
CN105141647B (en) A kind of method and system of detection Web applications
CN104462983B (en) A kind of PHP source code processing method and system
CN118036009A (en) Method and device for processing security vulnerabilities and electronic equipment
US9268944B2 (en) System and method for sampling based source code security audit
TWI889560B (en) Internet of things information security detection method and internet of things information security detection system
CN105117340A (en) URL (Uniform Resource Locator) detection method and device used for quality evaluation of iOS browser application
CN113094281B (en) Test method and device for hybrid App
CN102521533B (en) A remote control command code version verification method
CN106933888A (en) Database configuration management system
JPH10240575A (en) Inspecting method for batch update processing program for large-amount data file
WO2025171772A1 (en) Automated interface testing method and apparatus, electronic device and storage medium
CN110874475A (en) Vulnerability mining method, vulnerability mining platform and computer readable storage medium
CN111008147B (en) Application program testing method, terminal and computer readable storage medium
CN117112435B (en) Vulnerability linkage detection result fusion method, storage medium and electronic equipment
US20120131669A1 (en) Determining whether method of computer program is a validator
WO2017092391A1 (en) Middle-tier database virtual control and testing method and system utilizing same
CN115144716B (en) A method and system for correcting OCR recognition results using a probe station
CN113037526A (en) Security detection method, terminal, system and storage medium
CN110704307A (en) Application product testing method and device, user equipment and computer storage medium
CN110633204B (en) Method and device for detecting program defects
CN117194259A (en) Interface testing method, system, electronic equipment and storage medium
CN116757642A (en) Operation auditing method, device and equipment
Tsahat et al. Software testing and its aspects