Systems and methods for securing universal plug and play connections

專(zhuān)利號(hào)

US10791116B1

公開(kāi)日期

2020-09-29

申請(qǐng)人

Symantec Corporation（US AZ Tempe）

發(fā)明人

Bruce McCorkendale; Ramakrishnan Meenakshi Sundaram; Justin Harmon; Srini Chillappa

IPC分類(lèi)

H04L29/06; H04L12/24; H04L29/08

技術(shù)領(lǐng)域

upnp,client,device,or,network,may,forwarding,in,computing,remote

地域： CA CA Mountain View

摘要

The disclosed computer-implemented method for securing Universal Plug and Play connections may include (1) detecting, by a network device within a local network, an attempt by a remote device to establish a connection with a client device within the local network via a UPnP protocol, (2) identifying a forwarding rule applied by the network device on the client device based at least in part on an identity of the client device, (3) determining at least one restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, and then in response to determining the restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, (4) enforcing the restriction on the connection attempted by the remote device with the client device via the UPnP protocol. Various other methods, systems, and computer-readable media are also disclosed.

說(shuō)明書(shū)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

BACKGROUND

Universal Plug and Play (UPnP) is often used by devices within home networks to automatically open and configure router ports that connect those devices to the Internet. For example, a surveillance cam may direct a router within a home network to open and configure a port to facilitate streaming a video feed from the surveillance cam via UPnP. In this example, a remote device located outside the home network may be able to access and/or view the video feed by way of the UPnP port on the router without much in the way of security and/or authentication. As a result, a malicious user may be able to infiltrate the home network via the UPnP port on the router and then access and/or view the video feed by scanning the router.

Unfortunately, this lack of security and/or authentication may make users of UPnP devices susceptible to hacking and/or attacks. The instant disclosure, therefore, identifies and addresses a need for systems and methods for securing UPnP connections.

SUMMARY

權(quán)利要求

What is claimed is:

1. A computer-implemented method for securing Universal Plug and Play connections, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:creating, for client devices of a certain technology category within a local network, a default profile that includes a forwarding rule to be applied to traffic involving any client devices of the certain technology category within the local network, wherein the client devices of the certain technology category comprise at least one of:

a baby monitor;

a surveillance cam;

an Internet of Things (IoT) device;

a home alarm system or sensor;

a smart home device;

a webcam device; and

a gaming device;

creating, for client devices of an additional technology category within the local network, an additional default profile that includes an additional forwarding rule to be applied to traffic involving any client devices of the additional technology category within the local network;

receiving, by a network device within the local network, a request from a client device within the local network to open a certain port to facilitate Universal Plug and Play (UPnP) connections between the client device and remote devices;

transmitting, to an administrator of the local network, a notification indicating that the client device is requesting to open the certain port to facilitate UPnP connections;

receiving, from the administrator, a response indicating whether to satisfy the request to open the certain port to facilitate UPnP connections;

detecting, by the network device within the local network, an attempt by a remote device to establish a connection with the client device within the local network via a UPnP a Universal Plug and Play (UPnP) protocol;

determining that the client device within the local network is of the certain technology category;

in response to determining that the client device is of the certain technology category, applying the default profile to the connection between the client device and the remote device;

identifying the forwarding rule as being included in the default profile applied to the connection between the client device and the remote device;

determining, based at least in part on the default profile, that the forwarding rule places at least one restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, wherein determining the restriction placed on UPnP connections between the client device and remote devices comprises determining that the restriction prevents UPnP connections between the client device and remote devices located in a certain geolocation; and

in response to determining that the forwarding rule places the restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, enforcing the restriction on the connection attempted by the remote device with the client device via the UPnP protocol due at least in part to the client device being of the certain technology category within the local network, wherein enforcing the restriction on the connection attempted by the remote device with the client device comprises:

determining that the remote device attempting to establish the connection with the client device is located in the certain geolocation; and

preventing the connection between the client device and the remote device from being established due at least in part to the certain geolocation of the remote device.

2. The method of claim 1, further comprising:receiving, by the network device, a request from the client device to open a certain port to facilitate UPnP connections between the client device and remote devices;

determining an identity of the client device;

identifying the forwarding rule to be applied to the client device based at least in part on the identity of the client device; and

upon identifying the forwarding rule, applying the forwarding rule on the client device such that any UPnP connections with the client device are subject to the restriction.

3. The method of claim 2, further comprising identifying a context of an application that initiated the request to open the certain port; andwherein identifying the forwarding rule to be applied to the client device comprises identifying the forwarding rule based at least in part on the context of the application that initiated the request to open the certain port.

4. The method of claim 2, wherein the response instructs the network device to satisfy the request by opening the certain port to facilitate UPnP connections; andfurther comprising satisfying the request by opening the certain port to facilitate UPnP connections based at least in part on the response.

5. The method of claim 2, wherein the response instructs the network device to deny the request by refusing to open the certain port for UPnP connections; andfurther comprising denying the request by refusing to open the certain port for UPnP connections based at least in part on the response.

6. The method of claim 2, wherein the response identifies the restriction placed on UPnP connections between the client device and remote devices; andwherein enforcing the restriction on the connection attempted by the remote device with the client device comprises placing the restriction on UPnP connections between the client device and remote devices based at least in part on the response.

7. The method of claim 2, wherein the notification transmitted to the administrator specifies at least one of:the identity of the client device;

the forwarding rule as corresponding to the identity of the client device;

a context of an application that initiated the request on the client device; and

an indication as to whether the client device is expected to initiate requests to open ports to facilitate UPnP connections.

8. The method of claim 2, wherein the identity of the client device comprises at least one of:the certain technology category of the client device;

a make or model of the client device;

at least one feature of the client device; and

an address of the client device.

9. The method of claim 1, wherein:determining the restriction placed on UPnP connections between the client device and remote devices comprises determining that the restriction prevents any UPnP connections between the client device and remote devices; and

enforcing the restriction on the connection attempted by the remote device with the client device comprises preventing the connection between the client device and the remote device from being established.

10. The method of claim 1, wherein:determining the restriction placed on UPnP connections between the client device and remote devices comprises determining that the restriction prevents UPnP connections between the client device and remote devices with blacklisted addresses; and

enforcing the restriction on the connection attempted by the remote device with the client device comprises:

determining that the remote device attempting to establish the connection with the client device has a blacklisted address; and

preventing the connection between the client device and the remote device from being established due at least in part to the remote device having the blacklisted address.

11. The method of claim 1, wherein:determining the restriction placed on UPnP connections between the client device and remote devices comprises determining that the restriction prevents UPnP connections between the client device and remote devices whose reputations do not reach a certain threshold; and

enforcing the restriction on the connection attempted by the remote device with the client device comprises:

determining that the remote device attempting to establish the connection with the client device has a reputation that does not reach the certain threshold; and

preventing the connection between the client device and the remote device from being established due at least in part to the remote device having the reputation that does not reach the certain threshold.

12. A system for securing Universal Plug and Play connections, the system comprising:a default profile created for client devices of a certain technology category within a local network, wherein the default profile includes a forwarding rule to be applied to traffic involving any client devices of the certain technology category within the local network, wherein the client devices of the certain technology category comprise at least one of:

a baby monitor;

a surveillance cam;

an Internet of Things (IoT) device;

a home alarm system or sensor;

a smart home device;

a webcam device; and

a gaming device;

an additional default profile created for client devices of an additional technology category within the local network, wherein the additional default profile includes an additional forwarding rule to be applied to traffic involving any client devices of the additional technology category within the local network;

a detection module, stored in memory on a network device within the local network, that receives a request from a client device within the local network to open a certain port to facilitate Universal Plug and Play (UPnP) connections between the client device and remote devices;

a transmission module, stored in memory on the network device, that transmits, to an administrator of the local network, a notification indicating that the client device is requesting to open the certain port to facilitate UPnP connections;

wherein the detection module further:

receives, from the administrator, a response indicating whether to satisfy the request to open the certain port to facilitate UPnP connections; and

detects an attempt by a remote device to establish a connection with the client device within the local network via a UPnP a Universal Plug and Play (UPnP) protocol;

a determination module, stored in memory on the network device, that determines that the client device within the local network is of the certain technology category;

an enforcement module, stored in memory on the network device, that applies the default profile to the connection between the client device and the remote device in response to the determination that the client device is of the certain technology category;

an identification module, stored in memory on the network device, that identifies the forwarding rule as being included in the default profile applied to the connection between the client device and the remote device;

wherein the determination module determines, based at least in part on the default profile, that the forwarding rule places at least one restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, wherein determining the restriction placed on UPnP connections between the client device and remote devices comprises:

determining that the restriction prevents UPnP connections between the client device and remote devices located in a certain geolocation; and

determining that the remote device attempting to establish the connection with the client device is located in the certain geolocation;

wherein the enforcement module enforces, due at least in part to the client device being of the certain technology category within the local network, the restriction on the connection attempted by the remote device with the client device via the UPnP protocol in response to the determination that the forwarding rule places the restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, wherein enforcing the restriction on the connection attempted by the remote device with the client device comprises preventing the connection between the client device and the remote device from being established due at least in part to the certain geolocation of the remote device; and

at least one physical processor that executes the detection module, the identification module, the transmission module, the determination module, and the enforcement module.

13. The system of claim 12, wherein:the detection module receives a request from the client device to open a certain port to facilitate UPnP connections between the client device and remote devices;

the determination module determines an identity of the client device;

the identification module identifies the forwarding rule to be applied to the client device based at least in part on the identity of the client device; and

the enforcement module applies the forwarding rule on the client device such that any UPnP connections with the client device are subject to the restriction.

14. The system of claim 12, wherein:the response instructs the network device to satisfy the request by opening the certain port to facilitate UPnP connections; and

the enforcement module satisfies the request by opening the certain port to facilitate UPnP connections based at least in part on the response.

15. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a network device computing device, cause the network computing device to:create, for client devices of a certain technology category within a local network, a default profile that includes a forwarding rule to be applied to traffic involving any client devices of the certain technology category within the local network, wherein the client devices of the certain technology category comprise at least one of:

a baby monitor;

a surveillance cam;

an Internet of Things (IoT) device;

a home alarm system or sensor;

a smart home device;

a webcam device; and

a gaming device;

create, for client devices of an additional technology category within the local network, an additional default profile that includes an additional forwarding rule to be applied to traffic involving any client devices of the additional technology category within the local network;

receive a request from a client device within the local network to open a certain port to facilitate Universal Plug and Play (UPnP) connections between the client device and remote devices;

transmit, to an administrator of the local network, a notification indicating that the client device is requesting to open the certain port to facilitate UPnP connections;

receive, from the administrator, a response indicating whether to satisfy the request to open the certain port to facilitate UPnP connections;

detect, by network device within the local network, an attempt by a remote device to establish a connection with the client device within the local network via a UPnP a Universal Plug and Play (UPnP) protocol;

determine that the client device within the local network is of the certain technology category;

apply the default profile to the connection between the client device and the remote device in response to determining that the client device is of the certain technology category;

identify the forwarding rule as being included in the default profile applied to the connection between the client device and the remote device;

determine, based at least in part on the default profile, that the forwarding rule places at least one restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, wherein determining the restriction placed on UPnP connections between the client device and remote devices comprises determining that the restriction prevents UPnP connections between the client device and remote devices located in a certain geolocation; and

enforce, due at least in part to the client device being of the certain technology category within the local network, the restriction on the connection attempted by the remote device with the client device via the UPnP protocol in response to the determination that the forwarding rule places the restriction on UPnP connections between any client devices of the certain technology category within the local network and remote devices, wherein enforcing the restriction on the connection attempted by the remote device with the client device comprises:

determining that the remote device attempting to establish the connection with the client device is located in the certain geolocation; and

preventing the connection between the client device and the remote device from being established due at least in part to the certain geolocation of the remote device.

微信群二維碼

意見(jiàn)反饋

白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Systems and methods for securing universal plug and play connections

摘要

說(shuō)明書(shū)

權(quán)利要求

該功能需要專(zhuān)業(yè)版企業(yè)版VIP權(quán)限，您可以：

該功能需要專(zhuān)業(yè)版企業(yè)版VIP權(quán)限，您可以：