Network security protection methods, devices, equipment and storage media for building gateways

By automatically detecting and building a set of legitimate devices through a building gateway, the complexities of VPN key management and network threat handling in building systems are resolved, enabling adaptive network security protection for building systems.

CN115955349BActive Publication Date: 2026-06-30HITACHI BUILDING TECH GUANGZHOU CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HITACHI BUILDING TECH GUANGZHOU CO LTD
Filing Date
2022-12-21
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

The network security of building systems is insufficient, VPN keys and authentication credentials are difficult to manage effectively, unauthorized user devices can easily access the network, high professional requirements are required, and network threat handling is complex.

Method used

By building a local set of legitimate devices through a building gateway, devices can be automatically detected and verified, access control rules and resource reservation information can be generated, and attack protection parameters can be dynamically adjusted to achieve adaptive access control and attack protection.

Benefits of technology

It enhances the network security of building systems, simplifies VPN key management, reduces the risk of unauthorized access, reduces reliance on professional personnel, and improves the system's adaptive protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115955349B_ABST
    Figure CN115955349B_ABST
Patent Text Reader

Abstract

This application discloses a network security protection method, apparatus, device, and storage medium for a building gateway. The method includes: after the building gateway connects to a VPN network, performing device detection within the building system, including the building controller and third-party standard devices, to construct a local legitimate device set; constructing access control rules for the local legitimate device set; determining resource reservation information for each legitimate device in the local legitimate device set based on the access control rules; determining attack protection parameters based on the resource reservation information; and applying the attack protection parameters to perform attack protection processing on each legitimate device. This effectively improves the security protection and adaptive level of the building system subnet.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a network security protection method based on a building gateway, a network security protection device based on a building gateway, an electronic device, and a computer-readable storage medium. Background Technology

[0002] With the accelerated integration of technologies such as cloud computing and the Internet of Things in the field of building information, while bringing broad development opportunities to smart buildings, it has also led to the continuous expansion of the access scope of building systems, making the building network structure more complex and increasing the risk of the system being attacked by networks.

[0003] To improve the network security of building systems, the network security measures mentioned in related technologies mainly focus on analyzing and detecting security vulnerabilities, and based on the detection results, deploying dedicated network security equipment (such as firewalls) and completing the corresponding security policy formulation and configuration. However, these methods have the following problems when applied to building systems:

[0004] 1) Insufficient security of critical information deployed in the system

[0005] When building a VPN system using standard firewalls or routers, the parameters are set and saved on the firewalls or routers. Each time a new VPN branch site is added or maintenance is performed, on-site querying, inputting, and modifying are required. This makes it difficult to effectively manage highly sensitive or confidential parameters such as VPN keys and authentication credentials, which poses a serious risk of local leakage and increases the security risk of unauthorized local users / devices illegally accessing the VPN platform's central side.

[0006] 2) Safety management requires highly specialized engineering personnel but has low adaptability.

[0007] The network threats faced by the local building system at the user-side site are twofold: on the one hand, attacks from the Internet after the building system is connected to the wide area network; on the other hand, unauthorized access by devices or business access under unauthorized conditions on the building's local intranet. However, the network security devices in the relevant technologies lack integration with building services, and need to be assessed by professional network administrators (or IT personnel) based on the current network environment. This process is cumbersome and highly dependent on the professional level of the personnel. Summary of the Invention

[0008] This application provides a network security protection method, device, equipment, and storage medium for building gateways to solve the problems of insufficient security and high professional requirements for engineers when building building security networks using related technologies.

[0009] According to a first aspect of this application, a network security protection method based on a building gateway is provided. The method is applied to a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The method includes:

[0010] Once the building gateway is connected to the VPN network, it performs device detection on system devices including the building controller and third-party standard devices in the building system to build a local legitimate device set.

[0011] Construct access control rules for the local set of legitimate devices;

[0012] Based on the access control rules, determine the resource reservation information of each legitimate device in the local legitimate device set;

[0013] Attack protection parameters are determined based on the resource reservation information;

[0014] The aforementioned attack protection parameters are used to perform attack protection processing on each legitimate device.

[0015] According to a second aspect of this application, a network security protection device based on a building gateway is provided. The device is disposed in a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The device includes:

[0016] The legitimate device set construction module is used to detect devices within the building system, including the building controller and third-party standard devices, in order to construct a local legitimate device set after the building gateway is connected to the VPN network.

[0017] An access control rule building module is used to build access control rules for the local set of legitimate devices;

[0018] The resource reservation information determination module is used to determine the resource reservation information of each legitimate device in the local legitimate device set based on the access control rules.

[0019] An attack protection parameter determination module is used to determine attack protection parameters based on the resource reservation information.

[0020] The attack protection processing module is used to perform attack protection processing on each legitimate device using the attack protection parameters.

[0021] According to a third aspect of this application, an electronic device is provided, the electronic device comprising a light curtain transmitter and a light curtain receiver, the light curtain receiver comprising:

[0022] At least one processor; and

[0023] A memory communicatively connected to the at least one processor; wherein,

[0024] The memory stores a computer program that can be executed by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the method described in the first aspect above.

[0025] According to a fourth aspect of this application, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions for causing a processor to execute and implement the method described in the first aspect above.

[0026] In this embodiment, by establishing a highly integrated foundation between the building gateway and building service data, the system automatically completes the detection and verification of devices belonging to the local building system and the allocation of VPN subnet addresses on the branch side, forming a local legitimate device set. Based on this legitimate device set and dynamically reserved resources, the system proactively constructs access control and attack protection for the building's local subnet while ensuring minimal impact on normal service access. Through dynamic analysis of reserved resources and traffic load based on the building gateway, access security control policies are proactively and automatically constructed. This effectively improves the adaptive level and security of IPsec VPN network security tunnel access between the user-side local building system and the cloud platform center, as well as the security protection of the building system subnet.

[0027] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of this application, nor is it intended to limit the scope of this application. Other features of this application will become readily apparent from the following description. Attached Figure Description

[0028] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0029] Figure 1 This is a flowchart of a network security protection method based on a building gateway provided in Embodiment 1 of this application;

[0030] Figure 2 This is a building network management system architecture diagram provided in Embodiment 1 of this application;

[0031] Figure 3 This is a schematic diagram of a process for detecting devices within a system, provided in Embodiment 1 of this application;

[0032] Figure 4 This is a schematic diagram of a process for detecting a third-party standard device provided in Embodiment 1 of this application;

[0033] Figure 5 This is a schematic diagram of a process for constructing access control rules provided in Embodiment 1 of this application;

[0034] Figure 6 This is a schematic diagram of an attack protection process provided in Embodiment 1 of this application;

[0035] Figure 7 This is a schematic diagram of a network security protection device based on a building gateway provided in Embodiment 2 of this application;

[0036] Figure 8 This is a schematic diagram of the structure of an electronic device provided in Embodiment 3 of this application. Detailed Implementation

[0037] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0038] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0039] Example 1

[0040] Figure 1The flowchart of a network security protection method provided in the first embodiment of this application is applied to a building gateway. Among them, as Figure 2 shown in the architecture diagram of the building network management system, one building gateway corresponds to one or more building sites, and one building site may include one or more building terminal devices, such as Figure 2 shown, access control management equipment, energy management equipment, environmental management equipment, air-conditioning management equipment, information release equipment, elevator control management equipment, equipment management equipment, third-party systems, etc. Each building site may also include a building controller connected to each building terminal device, and each building terminal device accesses the building gateway through the building controller. Then, each building gateway accesses the building management cloud platform of the wide area network through an IPsecVPN tunnel.

[0041] Specifically, as Figure 2 shown, the building management cloud platform is generally deployed in the public cloud, including a building gateway (GWC) verification module, a central side IPsecVPN module, a private network time service module, and various business service modules, providing a platform center for background data storage, monitoring, management, and integration for each user site imported into the system, and providing management services for the whole system and multiple sites for various users.

[0042] A building site (i.e., the user-side branch site) is generally a management object of the user's local regional area of a large-scale building or building complex, consisting of a building gateway and various business subsystems deployed in the local area network of the building, covering business subsystems such as access control management, visitor management, lighting management, power management, air-conditioning management, and elevator control management. Each type of business subsystem includes corresponding field controllers and terminal devices.

[0043] Generally, one building gateway is deployed inside each user branch side site, which can provide an IPsecVPN security tunnel based on wide area network access and local subnet access control and attack protection for the building user side. At the same time, it can also provide perfect edge-side support for unified management and multi-subsystem linkage in the local area of the building. Its main components include: internal / external network interfaces, branch side IPsecVPN modules, verification link access modules, site deployment information modules, system device information modules, reserved resource calculation and adjustment modules, local device detection and VPN subnet internal device address allocation modules, access security control modules, attack protection modules, and other business modules such as area management and linkage.

[0044] The building controller is an access device and local management device for the field terminals of various business subsystems in the building. Generally, it has rich field buses and input / output interfaces, and can complete data collection, storage and upload, and local control of various terminals.

[0045] Building terminal equipment, also known as field terminals / facilities, are the end objects of building system management. They include various on-site building facilities and equipment (such as air conditioners and elevators), meters (water, electricity, gas meters, etc.), authentication terminals (face recognition, finger vein recognition), sensing and control systems, and third-party systems.

[0046] like Figure 1 As shown, this embodiment may include the following steps:

[0047] Step 101: After the building gateway is connected to the VPN network, device detection is performed in the building system for system devices including the building controller and third-party standard devices to build a local legitimate device set.

[0048] The VPN network in question is the VPN network of the building management cloud platform.

[0049] In one implementation, the building gateway can access the VPN network in the following way:

[0050] First, based on the gateway identifier of this building's gateway, request the gateway identity information storage address from the building management cloud platform, and after obtaining the gateway identity information storage address, read the gateway identity information from the storage address.

[0051] Next, gateway device information is generated based on gateway identity information and gateway identifier, and an initial access verification request is initiated to the building management cloud platform based on the gateway device information.

[0052] After receiving the initial access verification request, the building management cloud platform extracts the gateway device information. Then, based on the gateway identifier in the gateway device information, it searches for the corresponding gateway device information in a pre-stored device information data table. If the extracted gateway device information matches the found gateway device information, the initial access verification for the building gateway is successful. After the initial access verification of the building gateway is successful, the building management cloud platform returns an initial verification success message containing a random value T to the building gateway.

[0053] Then, the building gateway extracts a random value T from the initial successful verification message, converts it into a verification code T1 according to the set conversion algorithm, and then sends T1 to the building management cloud platform. After receiving T1, the building management cloud platform converts the random value T into a verification code T2 according to the set conversion algorithm. If T2 is the same as T1, the secondary access verification of the building gateway is successful.

[0054] Finally, the building management cloud platform queries the pre-generated site deployment information table using the gateway identifier of the current building gateway as a condition to obtain the VPN deployment information of the corresponding site. This VPN deployment information may include, for example, user site code, service deployment parameters, central-side IPsec VPN access parameters, and branch-side IPsec VPN subnet construction parameters. The building management cloud platform then distributes this VPN deployment information to the corresponding building gateway. After obtaining VPN deployment information, the building gateway adjusts its internal LAN interface network parameters to the corresponding network segment based on the branch-side IPsec VPN subnet segment. Then, after detecting that its own IPsec VPN access parameters (including the central VPN public IP, IPsec authentication parameters, IPsec tunnel mode, and Phase 1 / 2 negotiation parameters) have been updated, it restarts the IPsec tunnel establishment request with the remote IPsec VPN center according to the new access parameters. Once all negotiation and authentication steps of the first phase (IKE SA) and second phase (IPsec SA) of the IPsec tunnel creation between the branch and the platform center are successfully completed, the IPsec tunnel is established, and the IPsec VPN station-to-station connection between the branch and the platform center subnets is completed.

[0055] It should be noted that during the above-mentioned VPN network access process, the communication between the building gateway and the building management cloud platform can be encrypted. Ideally, the encryption method or key should be different at different stages (such as the initial access verification stage, the secondary access verification stage, VPN deployment information, etc.) to ensure data security.

[0056] Of course, in addition to the methods mentioned above, building gateways can also use other methods to access VPN networks, and this embodiment does not limit this.

[0057] Once the building gateway is connected to the VPN network, devices in the VPN subnet of this branch can be connected to the VPN network, and a local legitimate device set can be built.

[0058] In implementation, a local set of legitimate devices can be generated by automatically detecting and verifying devices within the system, including building controllers, as well as third-party standard devices.

[0059] Step 102: Construct access control rules for the local set of legitimate devices.

[0060] This access control rule is used to control access to local legitimate devices within the local legitimate device set.

[0061] Step 103: Determine the resource reservation information of each legitimate device in the local legitimate device set based on the access control rule.

[0062] For example, the resource reservation information may include, but is not limited to: estimated number of external network links, estimated external network traffic, estimated number of VPN links, estimated VPN traffic, etc.

[0063] Step 104: Determine attack protection parameters based on resource reservation information.

[0064] For example, attack protection parameters may include: WAN (i.e., external network) total traffic warning value, WAN total traffic security value, VPN total traffic warning value, VPN total traffic security value, external network connection security value of each device, VPN connection security value of each device, multi-connection warning value, etc.

[0065] Step 105: Use the attack protection parameters to perform attack protection processing on each legitimate device.

[0066] In one embodiment, during step 101, when performing device detection on devices within the system, combined with Figure 3 As shown, step 101 may further include the following steps:

[0067] Step 101-1: Create a multicast group.

[0068] The equipment within this multicast group includes several building controllers.

[0069] Specifically, after the building gateway starts up, it can first create a default multicast group B1. For example, the building gateway can create a multicast group based on the IGMPv2 standard protocol.

[0070] After the devices in the system (such as field controllers or other standard network interface field terminals) are started, they first join multicast group B1.

[0071] Step 101-2: Scan local subnet devices to obtain the set of occupied IP addresses within the local subnet, and generate a set of free IP addresses based on the set of occupied IP addresses.

[0072] In one implementation, the building gateway (GWC) can use local subnet device detection methods, such as the network scanning tool nmanp (Network Mapper, a network connection scanning and sniffing toolkit), to obtain the set of occupied IP addresses in the local subnet in real time. Then, based on the complete set of local addresses, it determines the complement of the set of occupied IP addresses to form the set of free IP addresses F.

[0073] Step 101-3: Send a device query command in multicast mode within the multicast group, and receive response instructions from each device in the multicast group based on the device query command.

[0074] Specifically, the building gateway can periodically send a device query command C1 to the multicast group B1 using a multicast method. For example, the device query command C1 may include information such as the local VPN subnet segment and the IP address of the building gateway.

[0075] After receiving the device query command C1, each device in the system within multicast group B1 (such as the building controller) determines whether its current network parameters match the network parameters of the local VPN subnet segment carried by C1. If they match, it replies to the GWC with the registration response command CK1 via unicast using the IP address of the building gateway GWC as the destination. If they do not match, it replies to the first allocation request response command CK2 via multicast address.

[0076] For example, CK1 may include, but is not limited to: the network parameters of the device itself within the current system (such as local IP address, subnet mask, gateway address), MAC address, device type, etc. The device type refers to the service type to which the device belongs, such as energy management, air conditioning management, etc.

[0077] Step 101-4: Determine registered and unregistered devices based on the response instructions.

[0078] After receiving the response instructions from each device in the multicast group, the building gateway determines whether each device is a registered device or an unregistered device based on the received response instructions.

[0079] In one embodiment, the device query command may include a VPN subnet segment and the building gateway's own IP address; then step 101-4 may further include the following steps:

[0080] Step 101-4-1: Identify the response instruction as either a registration response instruction or a first allocation request response instruction.

[0081] After receiving the response instruction, the building gateway can first identify whether the response instruction is the registration response instruction CK1 or the first allocation request response instruction CK2.

[0082] Among them, the registration response instruction CK1 is the response information returned by the device to the building gateway when it determines that the network parameters of the local device match the network parameters of the VPN subnet segment; the first allocation request response instruction CK2 is the response information returned by the device to the building gateway when it determines that the network parameters of the local device do not match the network parameters of the VPN subnet segment.

[0083] Step 101-4-2: The device that sent the first allocation request response instruction is designated as an unregistered device.

[0084] If the building gateway receives a response command of CK2, it will designate the device that sent CK2 as an unregistered device. After discovering an unregistered device, the building gateway can then assign network parameters to it.

[0085] Step 101-4-3: The device that sends the registration response instruction is designated as a candidate registered device, and registration confirmation information is sent to the candidate registered device. If a second allocation request response instruction is received from any candidate registered device within the set confirmation period for sending the registration confirmation information, the device that sends the second allocation request response instruction is designated as an unregistered device; the device that does not send the second allocation request response instruction is designated as a registered device.

[0086] Specifically, after receiving CK1, the building gateway can designate the device that sent CK1 as a candidate registered device and immediately reply with registration confirmation information CA1 via unicast to the corresponding candidate registered device.

[0087] After sending CK1, the device in the system continues to wait for the registration confirmation information CA1 from the building gateway. If CA1 is not received within the timeout period, it means that the current network configuration parameters of this device are unavailable (such as due to conflicts). In this case, the device replies with the second allocation request response instruction CK4 to the multicast address B1.

[0088] After receiving CK4, the building gateway can treat the candidate registered device that sent CK4 as an unregistered device for network reallocation, while the candidate registered device that did not send CK4 is identified as a registered device.

[0089] Step 101-5: Add the registered device to the local legal device set and mark it as a device within the system.

[0090] In one embodiment, step 101-5 may further include the following steps:

[0091] The device information of the registered devices is recorded in the device information table corresponding to the local set of legal devices.

[0092] The device information table records the device information of each device in the local legal device set. This device information includes IP address, MAC address, device type, etc. The device information table Tab1 can be shown in Table 1 below:

[0093]

[0094] Table 1

[0095] Step 101-6: For unregistered devices, internal network addresses are allocated based on the set of free IP addresses, and unregistered devices that have completed internal network address settings are added to the local set of legal devices as registered devices.

[0096] In one embodiment, step 101-6 may further include the following steps:

[0097] For any unregistered device, obtain its original IP address and MAC address; select an idle IP address from the set of idle IP addresses as the target idle IP address; generate allocation confirmation information based on the unregistered device's original IP address and MAC address, and the target idle IP address, and send the allocation confirmation information in a multicast group; receive registration response information based on the allocation confirmation information, wherein the registration response information is information returned to the building gateway by the device in the multicast group after receiving the allocation confirmation information, comparing its original IP address and MAC address with its own IP address and MAC address, and setting its own internal LAN port network parameters according to the target idle IP address carried in the allocation confirmation information when the comparison is consistent; add the unregistered device that sent the registration response information as a registered device to the local legitimate device set.

[0098] In this step, after the building gateway determines that the device is an unregistered device, it saves the device's current IP address (as the original IP address) and MAC address. Then, it selects an idle IPi from the current idle IP address set F and sends the allocation confirmation information CK3 to multicast group B1 with the GWC gateway's IP address, the newly allocated IPi and its associated network parameters, and the device's original IP address and MAC address.

[0099] After receiving the allocation confirmation information CK3, each device in multicast group B1 first determines whether the original IP address and MAC address carried in the allocation confirmation information match its own current IP address and MAC address. If they match, the device sets its own network parameters according to the newly allocated IPi and the corresponding network parameters in the frame, and replies to the GWC with the registration response information using the GWC's IP address (IP1).

[0100] In practice, the registration response information is the same as the registration response command CK1. This registration response information may also include: its own network parameters (local IP address, subnet mask, gateway), MAC address, device type, etc.

[0101] It should be noted that during the communication interaction between the building gateway and the devices within the system, the content of the interaction frame payload can be encrypted using a local default key and encryption algorithm fl to improve data security.

[0102] In another embodiment, when a third-party standard device (such as a PC or other standard network interface field terminal device) is detected, its network parameter configuration can be automatically allocated by the DHCP (Dynamic Host Configuration Protocol) service of the internal network port of the building gateway GWC, or it can be statically set by the user according to the local branch side VPN subnet range. This embodiment does not limit this.

[0103] In one implementation, combining Figure 4 As shown, when performing device detection on a third-party standard device, step 101 may further include the following steps:

[0104] Step 101-7: Obtain the site deployment information table.

[0105] The site deployment information table records the business deployment parameters corresponding to different building sites. These business deployment parameters may include, for example, the building gateway identifier, business type, open protocol type, and third-party interface address corresponding to each building site.

[0106] In addition, the site deployment information table may also include central side IPsecVPN access parameters, branch side IPsecVPN subnet construction parameters, etc., as shown in Table 2 below.

[0107]

[0108]

[0109] Table 2

[0110] Step 101-8: Search for data records that match the building gateway in the site deployment information table, and then search for data records with open protocol types from these data records as target data records.

[0111] For example, in Table 2, the device number of the building gateway is searched through the "Building Gateway Device Number" field to obtain the data record that matches the building gateway. Then, from the data records that match the building gateway, the data record with a non-empty "Open Protocol Type" is searched as the target data record.

[0112] It should be noted that if the "open protocol type" and "third-party interface address" recorded in the data record matching the building gateway are empty, then the process of this embodiment will be skipped.

[0113] Steps 101-9: Capture intranet inflow packets and obtain the destination address, protocol, and port information of the intranet inflow packets.

[0114] When implemented, the building gateway can activate the intranet port inflow packet capture function to capture intranet inflow packets and analyze the destination address, network layer protocol and port information of the captured intranet inflow packets.

[0115] Steps 101-10: If the destination address, protocol, and port information of the intranet inflow packet match the open protocol type and third-party interface address recorded in the target data record, then add the device to which the intranet inflow packet belongs to the local legitimate device set and mark the device as a third-party standard device.

[0116] In this step, for intranet inflow packets that match the "open protocol type" and "third-party interface address" in the target data record, the device to which it belongs is added to the local legitimate device set Tab1, and the device type is marked as third-party / standard network device.

[0117] In one embodiment, access control rules include an access whitelist and an access blacklist; combined with Figure 5 Step 102 may further include the following steps:

[0118] Step 102-1: Obtain the original IP address and MAC address of each device in the local legal device set, and bind the original IP address and MAC address to generate the first whitelist subset.

[0119] Specifically, for incoming data packets from the network's internal interface, the building gateway can add the device entries in Tab1 to the local VPN subnet inbound whitelist WN1 based on Tab1. Preferably, the device entries in Tab1 with a non-zero VPN connection count can be added to the local VPN subnet inbound whitelist WN1.

[0120] Then, based on WN1, the original IP address and MAC address of the device in WN1 are bound to form the first whitelist subset, namely the MAC and IP binding rule set R1.

[0121] Incoming data packets from devices not within this R1 are denied entry into the local VPN subnet via the building gateway's internal network port.

[0122] Step 102-2: For third-party standard devices in the local legitimate device set, obtain their open protocol type and third-party interface address from the pre-generated site deployment information table, and generate a second whitelist subset.

[0123] In this step, the building gateway, based on the "business type", "third-party interface address" and "open protocol type" in the site deployment information table, forms a device set N2 for devices in Tab1 that belong to the third-party standard device type, and forms a packet filtering rule set R2, which is the second whitelist subset, based on its source address range, open protocol type and third-party interface address.

[0124] For devices within the N2 address range, those whose source address range, open protocol type, and third-party interface address conform to the access control rule set R2 are allowed to pass. Packets flowing into the external network (WAN) and internal network (LAN) that do not belong to rule set R2 are not allowed to pass.

[0125] Step 102-3: Generate an access whitelist list from the first whitelist subset and the second whitelist subset.

[0126] After obtaining R1 and R2, the two can be combined to form the whitelist set R5, which is the access whitelist list.

[0127] Step 102-4: Obtain the pre-generated and real-time updated access blacklist.

[0128] In this step, access control for packets flowing into the gateway's WAN port and those flowing into the internal network (excluding VPN packets) uses a blacklist (BN1). The initial blacklist is empty, meaning it's fully open by default. Subsequently, based on attack protection monitoring, abnormal addresses are automatically added to the blacklist (BN1). This access blacklist has a set of packet filtering rules (R3).

[0129] If Tab1, "Third-Party Connection Address", "Open Protocol Type", etc. are updated during the operation of the building gateway GWC, then follow the above steps to update the corresponding R1\R1\R3.

[0130] In one embodiment, step 103 may further include the following steps:

[0131] Step 103-1: Based on the device information table of the local legal device set, obtain the access information corresponding to each device type that flows in based on access control rules. The access information includes the license agreement, access source, and average traffic rate.

[0132] The average traffic rate refers to the average traffic rate from the same license agreement and the same access source for the same device type.

[0133] Access information for each device type flowing in based on access control rules can include access information for each device type that is allowed to flow in according to a whitelist or blacklist.

[0134] Step 103-2: Generate a type access lookup table based on the device type and the access information.

[0135] Specifically, the building gateway can obtain access information for each device type based on the device types recorded in Tab1, and establish a type access lookup table Tab2. The fields involved in Tab2 may include: service type, service / application, protocol (i.e., license protocol), port, access source, average traffic rate, etc., as shown in Table 3 below:

[0136]

[0137] Table 3

[0138] If the device type is a non-third-party / standard device, the contents of each field are set according to the default definition of the device in the system; if the device type is a third-party / standard device, its protocol type is consistent with the "third-party protocol type" in the site deployment information table of this site, and its access source is divided according to the "third-party interface address" in the site deployment information table of this site. For example, if it is a VPN subnet, it is recorded as a VPN subnet, and if it is an external network, it is recorded as an external network.

[0139] Step 103-3: Traverse each device in the device information table, and based on the device type of the currently traversed device, search for the target access information corresponding to that device type in the type access lookup table.

[0140] Step 103-4: If the destination is an external network, the number of licensed protocols whose access source is an external network in the target access information is used as the estimated number of external network links, and the average of the average traffic rates of the licensed protocols whose access source is an external network in the target access information is used as the estimated external network traffic rate.

[0141] Step 103-5: If the destination is within the VPN intranet, the number of licensed protocols whose access source is the VPN subnet in the target access information is used as the estimated number of VPN links, and the average of the average traffic rates of the licensed protocols whose access source is the VPN subnet in the target access information is used as the estimated VPN traffic rate.

[0142] Step 103-6: Add the resource reservation information for each device to the device information table.

[0143] For example, resource reservation information may include: estimated number of external network links, estimated external network traffic rate, estimated number of VPN links, estimated VPN traffic rate, connection reservation factor, etc.

[0144] During implementation, each device in Tab1 can be queried against the type access lookup table Tab2 according to its device type, specifying its license protocol and the average traffic rate corresponding to each protocol. If the destination is on the external network, the total number of all protocols is summed to obtain the estimated number of external network links for that device, dev. iWanLinkNum uses the average of the average traffic rates of its various protocols as the estimated external network traffic rate dev. i WanRate; If the destination is within the VPN intranet, sum the total number of all protocols to get the estimated number of VPN links for that device. i VpnLinkNum uses the average of the average traffic rates of its various protocols as the estimated VPN traffic rate dev. i VpnRate.

[0145] After obtaining the resource reservation information K for each device, the resource reservation information K can be added to each device item in Table 1, as shown in Table 4 below:

[0146]

[0147] Table 4

[0148] In one embodiment, step 104 may further include the following steps:

[0149] Step 104-1: Based on the resource reservation information, determine the initial attack protection parameters for the external network or VPN. The initial attack protection parameters include: total traffic warning value, total traffic security value, multi-connection warning value, and connection security value for each device.

[0150] For example, the initial parameters for attack protection may include: WAN total traffic warning value, WAN total traffic security value, VPN total traffic warning value, VPN total traffic security value, external network connection security value for each device, VPN connection security value for each device, WAN port multi-connection warning value, VPN multi-connection warning value, etc.

[0151] In one implementation, the total traffic warning value is calculated as follows: obtain the inflow traffic rate of each device at the current inlet, and use the sum of the inflow traffic rates of each device at the current inlet as the total traffic warning value of the current inlet, where the current inlet is the external network port or VPN port.

[0152] The total traffic safety value is calculated as follows: the total traffic warning value is increased by the amount of the set traffic reservation factor at the current entry point to obtain the total traffic safety value, wherein the traffic reservation factor is less than 1.

[0153] Specifically, the calculation method for the total WAN traffic warning value is as follows: the inflow rate of any device i through the WAN port is expressed as the estimated WAN traffic rate dev. i WanRate, then the WAN total traffic warning value wanTotalRateWarn is the sum of the inflow traffic rates of each external network port of each device, that is:

[0154]

[0155] The WAN total traffic security value is calculated as follows: Assuming the external network traffic reservation factor is represented as 'a' (a < 1, for example, the initial value of 'a' is 0.5 by default), then the WAN total traffic security value wanTotalRateSaf is:

[0156] wanTotalRateSaf=wanTotalRateWarn×(1+a)

[0157] The VPN total traffic warning value is calculated as follows: For VPN subnet traffic, the VPN inbound traffic rate of any device i is represented as the estimated VPN traffic rate dev. i VpnRate, then the VPN total traffic warning value VpnTotalRateWarn is the sum of the inbound traffic rates of each VPN link on each device, that is:

[0158]

[0159] The VPN total traffic security value is calculated as follows: Assuming the VPN traffic reservation factor is represented by b (b < 1, for example, the initial value of b is 0.5 by default), then the VPN total traffic security value VpnTotalRateSaf is:

[0160] VpnTotalRateSaf=VpnTotalRateWarn×(1+b)

[0161] In one implementation, the connection safety value for each device is calculated as follows: obtain the connection number of each device relative to the current entry point, increase the connection number by the set connection reservation factor of the current entry point, and obtain the corresponding connection safety value, wherein the connection reservation factor is less than 1.

[0162] Specifically, the safe value for the number of external network connections of device i is calculated as follows: the number of external network connections of any device i is expressed as the estimated number of external network links dev. i WanLinkNum, assuming the external network connection reservation factor for device i is represented as Dev. i C(Dev i C<1, for example, Dev i The initial value of C is 0.5 by default. Therefore, the safe value for the number of external network connections of device i is dev. i WanLinkSaf can be represented as:

[0163] dev i WanLinkSaf=dev i WanLinkNum×(1+Dev i C)

[0164] The VPN connection security value for device i is calculated as follows: the VPN connection number for any device i is represented as the estimated number of VPN links, dev. i VpnLinkNum, assuming the VPN connection reservation factor for device i is represented as Dev i D(Dev i D<1, for example, Dev i The initial value of D is 0.5 by default. Therefore, the VPN connection security value dev for device i is... i VpnLinkSaf can be represented as:

[0165] dev i VpnLinkSaf=dev i VpnLinkNum×(1+Dev i D)

[0166] The multi-connection warning value is calculated as follows: the product of the total traffic warning value of the current inlet and the connection security factor is used as the multi-connection warning value of the current inlet. The connection security factor is the ratio of the sum of the connection reservation factors of each device at the current inlet to the number of devices.

[0167] Specifically, the multi-connection warning value is calculated as follows: Based on the WAN total traffic warning value wanTotalRateWarn, the WAN port multi-connection warning value WanMultiLinkRateWarn can be calculated using the following formula:

[0168] WanMultiLinkRateWarn=f×WanTotalRateWarn

[0169] Where f is the connection security factor, which can be calculated for WAN ports using the following formula:

[0170]

[0171] Where n is the total number of devices in the current system.

[0172] Based on the VPN total traffic warning value VpnTotalRateWarn, the VPN multi-link warning value VpnMultiLinkRateWarn can be calculated using the following formula:

[0173] VpnMultiLinkRateWarn=f×VpnTotalRateWarn

[0174] Where f is the connection security coefficient, which can be calculated for VPNs using the following formula:

[0175]

[0176] Where n is the total number of devices in the current system.

[0177] In other examples, f can also be a default value, f<1, for example, the initial value of f is 0.5 by default.

[0178] Step 104-2: When the preset reserved resource learning period arrives, determine the maximum value of the external network or VPN traffic rate based on the traffic rate of the internal and external networks or VPNs during the reserved resource learning period, and adjust the corresponding total traffic security value according to the maximum traffic rate.

[0179] In one implementation, during normal operation, reserved resources are learned at intervals of TP30 (i.e., learning cycles). The total traffic rate flowing in from the external network and VPN, the number of external network connections and VPN connections of each device are counted, and the traffic reservation factors a and b are recalculated accordingly.

[0180] In one embodiment, step 104-2 may further include the following steps: if the maximum traffic rate of the external network or VPN is greater than the corresponding total traffic warning value, calculate the difference between the two and update the corresponding traffic reservation factor to the ratio of the difference to the maximum traffic rate; if the maximum traffic rate of the external network or VPN is less than or equal to the corresponding total traffic warning value, update the corresponding traffic reservation factor to the value 0; update the total traffic security value according to the updated traffic reservation factor.

[0181] Specifically, during the learning period TP30, the maximum traffic rate wan_Rmax (or vpn_Rmax) from the external network (or VPN) is recorded. The total traffic warning value from the external network (or VPN) is represented as WanTotalRateWarn (or VpnTotalRateWarn). The calculation formulas for the external network traffic reservation factor a and the VPN traffic reservation factor b are as follows:

[0182]

[0183]

[0184] Based on the recalculated values ​​of a and b, the WAN total traffic security value wanTotalRateSaf and the VPN total traffic security value VpnTotalRateSaf can be recalculated.

[0185] Step 104-3: Based on the maximum number of external network or VPN connections for each device during the learning cycle, adjust the multi-connection warning value for the external network or VPN and the connection security value for each device.

[0186] Specifically, during the learning cycle, TP30 records the maximum number of external network (or VPN) connections for device i as wanDev. i Lmax (or vpnDev) i Lmax), if wanDev i Lmax (or vpnDev) i Lmax) is greater than the estimated number of external network links for device i, dev i WanLinkNum (or represented as WanDev) i LinkWarn or estimated number of VPN links (dev) i VpnLinkNum (or represented as VpnDev) i LinkWarn), then the external network connection reservation factor Dev i C (or VPN connection reservation factor Dev) i D) The following formula can be used to calculate:

[0187]

[0188]

[0189] Based on the recalculated Dev i C and Dev i D, then the external network connection security value dev of device i can be recalculated. i WanLinkSaf, VPN connection security value of device i (dev) i VpnLinkSaf, WAN port multi-connection warning value WanMultiLinkRateWarn, and VPN multi-connection warning value VpnMultiLinkRateWarn.

[0190] In one embodiment, combined with Figure 6 As shown, step 105 may further include the following steps:

[0191] Step 105-1: Monitor inbound traffic from the external network and VPN.

[0192] Specifically, the traffic monitoring targets are WAN inbound traffic (WL) and VPN inbound total traffic (VL). No action is taken when the traffic is below the corresponding warning value. When the traffic is above the corresponding warning value but below the corresponding security value, the system enters the anti-attack packet monitoring state. The system continuously counts the source inflow rate of each device based on the source address of the inflow packets (including the building gateway itself). When the rate is above the corresponding security value, the system performs attack suppression.

[0193] Step 105-2: If the inbound traffic from the external network or the total inbound traffic from the VPN exceeds the corresponding multi-connection warning value, then obtain the continuously counted number of connections for each device on the VPN internal network.

[0194] Specifically, if the inbound traffic from the external network exceeds the multi-connection warning value of the WAN port, or if the total inbound traffic from the VPN exceeds the multi-connection warning value of the VPN, then the multi-connection attack prevention monitoring of the corresponding interface will be enabled (i.e., continuously counting the number of connections of internal network devices).

[0195] Step 105-3: Determine if there are any devices with a number of connections exceeding their corresponding safe connection limit; if so, proceed to step 105-4; otherwise, proceed to step 105-5.

[0196] Specifically, if the number of connections of a device exceeds its VPN connection security limit, the device will be subject to multi-connection attack suppression and enter the multi-connection attack protection process.

[0197] Step 105-4 triggers the multi-connection attack protection process.

[0198] In one embodiment, the multi-connection attack protection process includes the following steps:

[0199] Step 105-4-1: Select the device with the largest number of connections as the target for multi-connection suppression.

[0200] For example, the device address B with the largest number of destination connections within the intranet is selected as the multi-connection suppression object B.

[0201] Step 105-4-2: Activate access control rules to limit the number of connections of the multi-connection suppression object to within its corresponding connection number safety value, and stop suppressing the incoming packets of the multi-connection suppression object until the set first suppression duration is reached.

[0202] For example, the number of connections with device address B as the destination address is limited to the security value dev corresponding to the number of connections on that device. B WanLinkSaf or dev B Below VpnLinkSaf. Stop suppressing inbound packets to this multi-connection suppression object and maintain the suppression for a certain duration TP20.

[0203] Step 105-4-3: Determine whether the number of connections of the multi-connection suppression object exceeds its corresponding safe connection value; if yes, proceed to step 105-4-4; otherwise, proceed to step 105-4-5.

[0204] Specifically, after the suppression duration TP20, it is checked again whether the number of connections destined for the suppressed object B exceeds the corresponding safe connection count (dev). BWanLinkSaf or dev B (VpnLinkSaf). Otherwise, the attack on device B was successfully suppressed. If yes, proceed to step 105-4-4.

[0205] Step 105-4-4: Control the multi-connection suppression object to close the port with the most current connections and replace it with a new set of idle ports. Also, notify the platform and other devices of the new port set and update the port information in the type protocol lookup table.

[0206] Specifically, if the number of connections destined for device B still exceeds the corresponding safe connection limit, all currently connected ports of device B will be actively closed, and the ports will be sequentially replaced with other connectionless / idle (safe) port numbers within the device. Then, based on the adjusted new port set, the platform and other devices in the device information table will be notified of the following: the corresponding new ports for each service protocol port of this device after the change. Simultaneously, the relevant protocol ports in Tab2 will be updated synchronously.

[0207] Step 105-4-5: The attack on the multi-connection suppression object is determined to be successfully suppressed.

[0208] Continue checking the input streams of the next intranet device whose current connection count exceeds the safe connection count value, and perform multi-connection attack suppression processing according to the above steps until the number of connections of each device is lower than the corresponding safe connection count value.

[0209] Step 105-5: Determine whether the inbound traffic from the external network and the total inbound traffic from the VPN exceed the corresponding total traffic warning value; if they exceed, proceed to step 105-6; if they do not exceed, proceed to step 105-7.

[0210] Steps 105-6 trigger the fixed-source attack protection process.

[0211] In one embodiment, the fixed-source attack protection process may include the following steps:

[0212] Step 105-6-1: If the inbound traffic from the external network or the total inbound traffic from the VPN exceeds the corresponding total traffic security value, then select the source device with the highest traffic rate in the current inbound packet as the fixed source suppression target.

[0213] For example, the source with the highest traffic among all device sources can be used as the current source for suppressing attacks, T.

[0214] Step 105-6-2: Activate access control rules to limit the inflow of packets from fixed source suppression objects to within their corresponding total traffic warning value until the set second suppression duration is reached.

[0215] For example, the inflow rate of the suppression attack source T is limited to its traffic warning value; that is, inflow packets belonging to the suppression source T that exceed the traffic warning value are blocked. The suppression duration is the second suppression duration.

[0216] Step 105-6-3: Stop suppressing the inflow packets of the fixed source suppression object, and after a set time period, determine whether the inflow traffic from the external network and the total inflow traffic from the VPN are less than the corresponding total traffic security value; if yes, it is determined that the suppression of the fixed source suppression object is successful; if no, the fixed source suppression object is added to the access blacklist.

[0217] Specifically, check whether the total inflow to the corresponding interface has returned to the corresponding safe range. If so, wait for the suppression duration TP10 and then stop restricting the traffic to the source address T. If not, add the source address T to the blacklist of the corresponding access point (WAN or VPN) (i.e., restrict its data packet inflow).

[0218] After maintaining the running time TP11, check whether the current total traffic has returned to normal. If so, exit the suppression of the source address T; otherwise, add the source address T to the blacklist of the corresponding access point (WAN or VPN).

[0219] After the waiting interval TP12, continue to check whether the current total traffic remains normal. If it is not normal, repeat the fixed source attack suppression process described above until the total traffic of the corresponding interface meets the requirements.

[0220] Step 105-7: Wait for the next maintenance cycle to arrive, and clear all addresses in the blacklist when the next maintenance cycle arrives.

[0221] If the total WAN or VPN traffic of the system remains within the warning value for a period of time exceeding the normal maintenance period T13, the addresses in the corresponding blacklists of the external network and VPN entry points will be automatically cleared.

[0222] In this embodiment, by establishing a highly integrated foundation between the building gateway and building service data, the system automatically completes the detection and verification of devices belonging to the local building system and the allocation of VPN subnet addresses on the branch side, forming a local legitimate device set. Based on this legitimate device set and dynamically reserved resources, the system proactively constructs access control and attack protection for the building's local subnet while ensuring minimal impact on normal service access. Through dynamic analysis of reserved resources and traffic load based on the building gateway, access security control policies are proactively and automatically constructed. This effectively improves the adaptive level and security of IPsec VPN network security tunnel access between the user-side local building system and the cloud platform center, as well as the security protection of the building system subnet.

[0223] Example 2

[0224] Figure 7 This is a schematic diagram of a network security protection device based on a building gateway, provided in Embodiment 2 of this application. The device is installed in a building gateway, and one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. The device may include the following modules:

[0225] The legitimate device set construction module 201 is used to perform device detection in the building system, including the building controller and third-party standard devices, after the building gateway is connected to the VPN network, so as to construct a local legitimate device set.

[0226] Access control rule construction module 202 is used to construct access control rules for the local legal device set;

[0227] The resource reservation information determination module 203 is used to determine the resource reservation information of each legitimate device in the local legitimate device set based on the access control rules.

[0228] Attack protection parameter determination module 204 is used to determine attack protection parameters based on the resource reservation information;

[0229] The attack protection processing module 205 is used to perform attack protection processing on each legitimate device using the attack protection parameters.

[0230] In one embodiment, when performing device detection on devices within the system, the legitimate device set construction module 201 may include the following modules:

[0231] The multicast group creation module is used to create multicast groups, and the devices in the multicast group include several building controllers;

[0232] The idle IP address set generation module is used to scan local subnet devices to obtain the set of occupied IP addresses in the local subnet, and generate an idle IP address set based on the set of occupied IP addresses.

[0233] The device query module is used to send device query commands in multicast mode within the multicast group and receive response instructions returned by each device in the multicast group based on the device query commands.

[0234] The registration and identification module is used to determine registered and unregistered devices based on the response command.

[0235] The registered device processing module is used to add the registered devices to the local legal device set and mark them as devices within the system;

[0236] The unregistered device processing module is used to allocate intranet addresses to the unregistered devices based on the set of free IP addresses, and add the unregistered devices that have completed the intranet address settings as registered devices to the local legal device set.

[0237] In one embodiment, the device query command includes a VPN subnet segment and the building gateway's own IP address;

[0238] The registration and identification module is specifically used for:

[0239] The response instruction is identified as either a registration response instruction or a first allocation request response instruction. The registration response instruction is the response information returned by the device to the building gateway when it determines that the network parameters of the device itself match the network parameters of the VPN subnet segment. The first allocation request response instruction is the response information returned by the device to the building gateway when it determines that the network parameters of the device itself do not match the network parameters of the VPN subnet segment.

[0240] The device that sends the first allocation request response instruction will be designated as an unregistered device.

[0241] The device that sends the registration response instruction is designated as a candidate registered device, and registration confirmation information is sent to the candidate registered device. If a second allocation request response instruction is received from any of the candidate registered devices within the set confirmation period for sending the registration confirmation information, the device that sends the second allocation request response instruction is designated as an unregistered device; the device that does not send the second allocation request response instruction is designated as a registered device.

[0242] In one embodiment, the unregistered device processing module is specifically used for:

[0243] For any unregistered device, obtain its original IP address and MAC address;

[0244] Select one free IP address from the set of free IP addresses as the target free IP address;

[0245] Based on the original IP address and MAC address of the unregistered device, and the target free IP address, an allocation confirmation message is generated, and the allocation confirmation message is sent in the multicast group in a multicast manner;

[0246] Receive registration response information based on the allocation confirmation information, wherein the registration response information is the information returned to the building gateway by the device in the multicast group after receiving the allocation confirmation information, comparing the original IP address and MAC address carried by the device with its own IP address and MAC address, and setting its own internal network LAN port network parameters according to the target idle IP address carried in the allocation confirmation information when the comparison is consistent;

[0247] Unregistered devices that send the registration response information will be added to the local set of legitimate devices as registered devices.

[0248] In one embodiment, the registered device processing module is specifically used for:

[0249] The device information of the registered devices is recorded in the device information table corresponding to the local legal device set.

[0250] In one embodiment, when performing device detection on a third-party standard device, the legitimate device set construction module 201 is specifically used for:

[0251] Obtain the site deployment information table, which records the business deployment parameters corresponding to different building sites. The business deployment parameters include the building gateway identifier, business type, open protocol type, and third-party interface address corresponding to each building site.

[0252] Search the site deployment information table for data records that match the building gateway, and then search for data records with open protocol types as target data records.

[0253] Capture intranet inflow packets and obtain the destination address, protocol, and port information of the intranet inflow packets;

[0254] If the destination address, protocol, and port information of the intranet inflow packet match the open protocol type and third-party interface address recorded in the target data record, then the device to which the intranet inflow packet belongs is added to the local legitimate device set, and the device is marked as a third-party standard device.

[0255] In one embodiment, the access control rules include an access whitelist and an access blacklist; the access control rule construction module 202 is specifically used for:

[0256] Obtain the original IP address and MAC address of each device in the system within the local legitimate device set, and bind the original IP address and MAC address to generate a first whitelist subset;

[0257] For the third-party standard devices in the local legitimate device set, obtain their open protocol type and third-party interface address from the pre-generated site deployment information table to generate a second whitelist subset;

[0258] Generate an access whitelist list from the first whitelist subset and the second whitelist subset;

[0259] Get a pre-generated and real-time updated list of access blacklists.

[0260] In one embodiment, the resource reservation information includes: estimated number of external network links, estimated external network traffic rate, estimated number of VPN links, and estimated VPN traffic rate;

[0261] The resource reservation information determination module 203 is specifically used for:

[0262] Based on the device information table of the local legal device set, obtain the access information corresponding to each device type that flows in based on the access control rules. The access information includes the license protocol, access source, and average traffic rate.

[0263] Generate a type access lookup table based on the device type and the access information;

[0264] Iterate through each device in the device information table, and based on the device type of the currently traversed device, look up the target access information corresponding to the device type in the type access lookup table;

[0265] If the destination is an external network, the number of licensed protocols whose access source is an external network in the target access information is used as the estimated number of external network links, and the average of the average traffic rates of the licensed protocols whose access source is an external network in the target access information is used as the estimated external network traffic rate.

[0266] If the destination is within a VPN intranet, the number of licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated number of VPN links, and the average of the average traffic rates of the licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated VPN traffic rate.

[0267] The resource reservation information for each device is appended to the device information table.

[0268] In one embodiment, the attack protection parameter determination module 204 may further include the following modules:

[0269] The attack protection initial parameter determination module is used to determine the attack protection initial parameters of the external network or VPN based on the resource reservation information. The attack protection initial parameters include: total traffic warning value, total traffic security value, multi-connection warning value, and connection number security value of each device.

[0270] The first adjustment module is used to determine the maximum traffic rate of the external network or VPN based on the traffic rate of the internal and external networks or VPN during the learning period when the preset learning period arrives, and adjust the corresponding total traffic security value according to the maximum traffic rate.

[0271] The second adjustment module is used to adjust the multi-connection warning value of the external network or the VPN and the connection security value of each device based on the maximum number of external network or VPN connections of each device during the learning period.

[0272] In one embodiment, the attack protection initial parameter determination module is specifically used for:

[0273] The total traffic warning value is calculated as follows: the inflow traffic rate of each device at the current entry point is obtained, and the sum of the inflow traffic rates of each device at the current entry point is used as the total traffic warning value of the current entry point, wherein the current entry point is the external network port or VPN port;

[0274] The total traffic safety value is calculated as follows: the total traffic warning value is increased by the amount of the set traffic reservation factor at the current entry point to obtain the total traffic safety value, wherein the traffic reservation factor is less than 1;

[0275] The connection safety value of each device is calculated as follows: obtain the connection number of each device relative to the current entry point, increase the connection number by the set connection reservation factor of the current entry point, and obtain the corresponding connection safety value, wherein the connection reservation factor is less than 1;

[0276] The multi-connection warning value is calculated as follows: the product of the total traffic warning value of the current inlet and the connection security factor is used as the multi-connection warning value of the current inlet, wherein the connection security factor is the ratio of the sum of the connection reservation factors of each device at the current inlet to the number of devices.

[0277] In one embodiment, the first adjustment module is specifically used for:

[0278] If the maximum traffic rate of the external network or VPN is greater than the corresponding total traffic warning value, the difference between the two is calculated, and the corresponding traffic reservation factor is updated to the ratio of the difference to the maximum traffic rate.

[0279] If the maximum traffic rate of the external network or VPN is less than or equal to the corresponding total traffic warning value, the corresponding traffic reservation factor will be updated to a value of 0.

[0280] The total traffic safety value is updated based on the updated traffic reservation factor.

[0281] In one embodiment, the attack protection processing module 205 may include the following modules:

[0282] The traffic monitoring module is used to monitor inbound traffic from the external network and VPN traffic.

[0283] The device connection count acquisition module is used to acquire the continuously counted connection count of each device in the VPN intranet if the inbound traffic from the external network or the total inbound traffic from the VPN is greater than the corresponding multi-connection warning value.

[0284] The connection count comparison module is used to determine whether there are devices with a connection count exceeding their corresponding connection count safety value; if so, it calls the multi-connection attack protection module; if not, it calls the traffic judgment module.

[0285] The multi-connection attack protection module is used to trigger the multi-connection attack protection process;

[0286] Traffic detection is used by the module to determine whether the inbound traffic from the external network and the total inbound traffic from the VPN exceed the corresponding total traffic warning value; if they exceed, the fixed source attack protection module is invoked; if not, the blacklist removal module is invoked.

[0287] Fixed source attack protection module, used to trigger the fixed source attack protection process;

[0288] The blacklist removal module is used to wait for the next maintenance cycle to arrive and then remove all addresses from the blacklist when the next maintenance cycle arrives.

[0289] In one embodiment, the multi-connection attack protection module is further configured to:

[0290] The device with the largest number of connections is selected as the target for multi-connection suppression.

[0291] The access control rule is activated to limit the number of connections of the multi-connection suppression object to within its corresponding connection safety value until the set first suppression duration is reached.

[0292] Determine whether the number of connections of the multi-connection suppression object exceeds its corresponding safe connection value;

[0293] If so, control the multi-connection suppression object to close all currently connected ports and replace them with a new set of idle ports, and notify the platform and other devices of the new set of ports, and update the port information in the type protocol lookup table;

[0294] If not, the attack on the multi-connection suppression object is considered to have been successfully suppressed.

[0295] In one embodiment, the fixed-source attack protection module is specifically used for:

[0296] If the inbound traffic from the external network and the total inbound traffic from the VPN exceed the corresponding total traffic security value, then the device with the highest traffic rate in the current inbound packet will be selected as the fixed source suppression target.

[0297] Enable access control rules to limit incoming packets from fixed-source suppression objects to within their corresponding total traffic warning value until the set second suppression duration is reached;

[0298] Stop suppressing the inflow packets of the fixed source suppression object, and after a set time period, determine whether the inflow traffic from the external network and the total inflow traffic from the VPN are less than the corresponding total traffic security value;

[0299] If so, then the suppression of the fixed source suppression object is determined to be successful;

[0300] If not, the fixed source suppression object is added to the access blacklist.

[0301] The network security protection device based on a building gateway provided in this application can execute the network security protection method based on a building gateway provided in any embodiment of this application, and has the corresponding functional modules and beneficial effects of executing the method.

[0302] Example 3

[0303] Figure 8 A schematic diagram of an electronic device 10, which can be used to implement embodiments of the methods of this application, is shown. This electronic device can be a building gateway.

[0304] like Figure 4 As shown, the electronic device 10 includes at least one processor 11 and a memory, such as a read-only memory (ROM) 12 or a random access memory (RAM) 13, communicatively connected to the at least one processor 11. The memory stores computer programs executable by the at least one processor. The processor 11 can perform various appropriate actions and processes based on the computer program stored in the ROM 12 or loaded from storage unit 18 into the RAM 13. The RAM 13 may also store various programs and data required for the operation of the electronic device 10. The processor 11, ROM 12, and RAM 13 are interconnected via a bus 14. An input / output (I / O) interface 15 is also connected to the bus 14.

[0305] Multiple components in electronic device 10 are connected to I / O interface 15, including: input unit 16, such as keyboard, mouse, etc.; output unit 17, such as various types of displays, speakers, etc.; storage unit 18, such as disk, optical disk, etc.; and communication unit 19, such as network card, modem, wireless transceiver, etc. Communication unit 19 allows electronic device 10 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0306] Processor 11 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 11 performs the various methods and processes described above, such as the method described in Embodiment 1.

[0307] In some embodiments, the method described in Embodiment 1 may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and / or installed on electronic device 10 via ROM 12 and / or communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the method described in Embodiment 1 above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform the method described in Embodiment 1 by any other suitable means (e.g., by means of firmware).

[0308] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0309] Computer programs used to implement the methods of this application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0310] In the context of this application, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. Alternatively, a computer-readable storage medium can be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

Claims

1. A building gateway-based network security protection method, characterized in that, The method is applied to a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The method includes: Once the building gateway is connected to the VPN network, it performs device detection on system devices including the building controller and third-party standard devices in the building system to build a local legitimate device set. Construct access control rules for the local set of legitimate devices; Based on the access control rules, the resource reservation information of each legitimate device in the local legitimate device set is determined; wherein, the resource reservation information includes: estimated number of external network links, estimated external network traffic rate, estimated number of VPN links, estimated VPN traffic rate, and connection reservation factor; Attack protection parameters are determined based on the resource reservation information; The aforementioned attack protection parameters are used to perform attack protection processing on each legitimate device; The access control rules include an access whitelist and an access blacklist. The access control rules for constructing the local legitimate device set include: Obtain the original IP address and MAC address of each device in the system within the local legitimate device set, and bind the original IP address and MAC address to generate a first whitelist subset; For the third-party standard devices in the local legitimate device set, obtain their open protocol type and third-party interface address from the pre-generated site deployment information table to generate a second whitelist subset; Generate an access whitelist list from the first whitelist subset and the second whitelist subset; Get a pre-generated and real-time updated access blacklist list; The process of determining the resource reservation information of each legitimate device in the local legitimate device set based on the access control rules includes: Based on the device information table of the local legal device set, access information corresponding to each device type flowing in based on the access control rules is obtained. The access information includes the license protocol, access source, and average traffic rate. The device information table is used to record the device information of each device in the local legal device set, and the device information includes the device type. Generate a type access lookup table based on the device type and the access information; Iterate through each device in the device information table, and based on the device type of the currently traversed device, look up the target access information corresponding to the device type in the type access lookup table; If the destination is an external network, the number of licensed protocols whose access source is an external network in the target access information is used as the estimated number of external network links, and the average of the average traffic rates of the licensed protocols whose access source is an external network in the target access information is used as the estimated external network traffic rate. If the destination is within a VPN intranet, the number of licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated number of VPN links, and the average of the average traffic rates of the licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated VPN traffic rate. The resource reservation information for each device is appended to the device information table.

2. The method according to claim 1, characterized in that, When probing devices within the system, after the building gateway connects to the VPN network, device probing is performed on system devices including the building controller and third-party standard devices within the building system to construct a local legitimate device set, including: Create a multicast group, wherein the devices in the multicast group include several building controllers; Scan local subnet devices to obtain the set of occupied IP addresses within the local subnet, and generate a set of free IP addresses based on the set of occupied IP addresses; Within the multicast group, a device query command is sent in a multicast manner, and response commands are received from each device in the multicast group based on the device query command. Based on the response command, registered and unregistered devices are identified; Add the registered devices to the local set of legal devices and mark them as devices within the system; For the unregistered devices, intranet addresses are allocated based on the set of available IP addresses, and the unregistered devices that have completed the intranet address configuration are added to the set of local legitimate devices as registered devices.

3. The method according to claim 2, characterized in that, The device query command includes the VPN subnet segment and the building gateway's own IP address; The process of determining registered and unregistered devices based on the response command includes: The response instruction is identified as either a registration response instruction or a first allocation request response instruction. The registration response instruction is the response information returned to the building gateway by a device within the multicast group when it determines that its network parameters match the network parameters of the VPN subnet segment. The first allocation request response instruction is the response information returned to the building gateway by a device within the multicast group when it determines that its network parameters do not match the network parameters of the VPN subnet segment. The device that sends the first allocation request response instruction will be designated as an unregistered device. The device that sends the registration response instruction is designated as a candidate registered device, and registration confirmation information is sent to the candidate registered device. If a second allocation request response instruction is received from any of the candidate registered devices within the set confirmation period for sending the registration confirmation information, the device that sends the second allocation request response instruction is designated as an unregistered device; the device that does not send the second allocation request response instruction is designated as a registered device.

4. The method according to claim 2 or 3, characterized in that, For the unregistered devices, intranet address allocation is performed based on the set of available IP addresses, and the unregistered devices that have completed intranet address configuration are added as registered devices to the local legal device set, including: For any unregistered device, obtain its original IP address and MAC address; Select one free IP address from the set of free IP addresses as the target free IP address; Based on the original IP address and MAC address of the unregistered device, and the target free IP address, an allocation confirmation message is generated, and the allocation confirmation message is sent in the multicast group in a multicast manner; Receive registration response information based on the allocation confirmation information, wherein the registration response information is the information returned to the building gateway by the device in the multicast group after receiving the allocation confirmation information, comparing the original IP address and MAC address carried by the device with its own IP address and MAC address, and setting its own internal network LAN port network parameters according to the target idle IP address carried in the allocation confirmation information when the comparison is consistent; Unregistered devices that send the registration response information will be added to the local set of legitimate devices as registered devices.

5. The method according to claim 1, characterized in that, When probing third-party standard devices, after the building gateway is connected to the VPN network, device probing is performed in the building system on devices within the system including the building controller and third-party standard devices to construct a local legitimate device set, including: Obtain the site deployment information table, which records the business deployment parameters corresponding to different building sites. The business deployment parameters include the building gateway identifier, business type, open protocol type, and third-party interface address corresponding to each building site. Search the site deployment information table for data records that match the building gateway, and then search for data records with open protocol types as target data records. Capture intranet inflow packets and obtain the destination address, protocol, and port information of the intranet inflow packets; If the destination address, protocol, and port information of the intranet inflow packet match the open protocol type and third-party interface address recorded in the target data record, then the device to which the intranet inflow packet belongs is added to the local legitimate device set, and the device to which the intranet inflow packet belongs is marked as a third-party standard device.

6. The method according to claim 1, characterized in that, The process of determining attack protection parameters based on the resource reservation information includes: Based on the resource reservation information, the initial parameters for attack protection of the external network or VPN are determined. The initial parameters for attack protection include: total traffic warning value, total traffic security value, multi-connection warning value, and connection security value for each device. When the preset learning period arrives, the maximum traffic rate of the external network or VPN is determined based on the traffic rate of the internal and external networks or VPN during the learning period, and the corresponding total traffic security value is adjusted according to the maximum traffic rate. Based on the maximum number of external network or VPN connections for each device during the learning period, adjust the multi-connection warning value of the external network or VPN and the connection security value of each device.

7. The method according to claim 6, characterized in that, The total traffic warning value is calculated as follows: the inflow rate of each device at the current entry point is obtained, and the sum of the inflow rates of each device at the current entry point is used as the total traffic warning value of the current entry point, wherein the current entry point is the external network port or VPN port; The total traffic safety value is calculated as follows: the total traffic warning value is increased by the amount of the set traffic reservation factor at the current entry point to obtain the total traffic safety value, wherein the traffic reservation factor is less than 1; The connection safety value of each device is calculated as follows: obtain the connection number of each device relative to the current entry point, increase the connection number by the set connection reservation factor of the current entry point, and obtain the corresponding connection safety value, wherein the connection reservation factor is less than 1; The multi-connection warning value is calculated as follows: the product of the total traffic warning value of the current inlet and the connection security factor is used as the multi-connection warning value of the current inlet, wherein the connection security factor is the ratio of the sum of the connection reservation factors of each device at the current inlet to the number of devices.

8. The method according to claim 7, characterized in that, When the preset learning period arrives, the maximum traffic rate of the external network or VPN is determined based on the traffic rate of the internal and external networks or VPN during the learning period, and the corresponding total traffic security value is adjusted according to the maximum traffic rate, including: If the maximum traffic rate of the external network or VPN is greater than the corresponding total traffic warning value, the difference between the two is calculated, and the corresponding traffic reservation factor is updated to the ratio of the difference to the maximum traffic rate. If the maximum traffic rate of the external network or VPN is less than or equal to the corresponding total traffic warning value, the corresponding traffic reservation factor will be updated to a value of 0. The total traffic safety value is updated based on the updated traffic reservation factor.

9. The method according to any one of claims 6-8, characterized in that, The attack protection process for each legitimate device using the aforementioned attack protection parameters includes: Monitor inbound traffic from external networks and VPNs; If the inbound traffic from the external network or the total inbound traffic from the VPN exceeds the corresponding multi-connection warning value, then the number of connections of each device in the VPN internal network will be continuously counted. Determine if there are any devices with a number of connections exceeding their corresponding safe connection limit; If so, the multi-connection attack protection process will be triggered; If not, determine whether the inbound traffic from the external network and the total inbound traffic from the VPN exceed the corresponding total traffic warning value; If the limit is exceeded, the fixed source attack protection process will be triggered. If the number of addresses does not exceed the limit, wait for the next maintenance cycle to arrive, and clear all addresses in the blacklist when the next maintenance cycle arrives.

10. The method according to claim 9, characterized in that, The multi-connection attack protection process includes: The device with the largest number of connections is selected as the target for multi-connection suppression. The access control rule is activated to limit the number of connections of the multi-connection suppression object to within its corresponding connection number safety value, and to stop suppressing the incoming packets of the multi-connection suppression object until the set first suppression duration is reached. Determine whether the number of connections of the multi-connection suppression object exceeds its corresponding safe connection value; If so, control the multi-connection suppression object to close the port with the most connections and replace it with a new set of idle ports, and notify the platform and other devices of the new port set, and update the port information in the type access lookup table; If not, the attack on the multi-connection suppression object is considered to have been successfully suppressed.

11. The method according to claim 9, characterized in that, The fixed-source attack protection process includes: If the inbound traffic from the external network and the total inbound traffic from the VPN exceed the corresponding total traffic security value, then the source device with the highest traffic rate in the current inbound packet will be selected as the fixed source suppression target. Enable access control rules to limit incoming packets from fixed-source suppression objects to within their corresponding total traffic warning value until the set second suppression duration is reached; Stop suppressing the inflow packets of the fixed source suppression object, and after a set time period, determine whether the inflow traffic from the external network and the total inflow traffic from the VPN are less than the corresponding total traffic security value; If so, then the suppression of the fixed source suppression object is determined to be successful; If not, the fixed source suppression object is added to the access blacklist.

12. A network security protection device based on a building gateway, characterized in that, The device is installed in a building gateway, and one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The device includes: The legitimate device set construction module is used to detect devices within the building system, including the building controller and third-party standard devices, in order to construct a local legitimate device set after the building gateway is connected to the VPN network. An access control rule building module is used to build access control rules for the local set of legitimate devices; The resource reservation information determination module is used to determine the resource reservation information of each legitimate device in the local legitimate device set based on the access control rules; wherein, the resource reservation information includes: estimated number of external network links, estimated external network traffic rate, estimated number of VPN links, estimated VPN traffic rate, and connection reservation factor; An attack protection parameter determination module is used to determine attack protection parameters based on the resource reservation information. An attack protection processing module is used to perform attack protection processing on each legitimate device using the aforementioned attack protection parameters. The access control rules include an access whitelist and an access blacklist. The access control rule construction module is specifically used for: Obtain the original IP address and MAC address of each device in the system within the local legitimate device set, and bind the original IP address and MAC address to generate a first whitelist subset; For the third-party standard devices in the local legitimate device set, obtain their open protocol type and third-party interface address from the pre-generated site deployment information table to generate a second whitelist subset; Generate an access whitelist list from the first whitelist subset and the second whitelist subset; Get a pre-generated and real-time updated access blacklist list; The resource reservation information determination module is specifically used for: Based on the device information table of the local legal device set, access information corresponding to each device type flowing in based on the access control rules is obtained. The access information includes the license protocol, access source, and average traffic rate. The device information table is used to record the device information of each device in the local legal device set, and the device information includes the device type. Generate a type access lookup table based on the device type and the access information; Iterate through each device in the device information table, and based on the device type of the currently traversed device, look up the target access information corresponding to the device type in the type access lookup table; If the destination is an external network, the number of licensed protocols whose access source is an external network in the target access information is used as the estimated number of external network links, and the average of the average traffic rates of the licensed protocols whose access source is an external network in the target access information is used as the estimated external network traffic rate. If the destination is within a VPN intranet, the number of licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated number of VPN links, and the average of the average traffic rates of the licensed protocols whose access source is a VPN subnet in the target access information is used as the estimated VPN traffic rate. The resource reservation information for each device is appended to the device information table.

13. An electronic device, characterized in that, The electronic device includes: At least one processor; and A memory communicatively connected to the at least one processor; wherein, The memory stores a computer program that can be executed by the at least one processor to enable the at least one processor to perform the method according to any one of claims 1-11.

14. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that are used to cause a processor to perform the method of any one of claims 1-11.