CN103973697A - Intrusion detecting method of internet-of-things sensing layer - Google Patents
Intrusion detecting method of internet-of-things sensing layer Download PDFInfo
- Publication number
- CN103973697A CN103973697A CN201410211088.1A CN201410211088A CN103973697A CN 103973697 A CN103973697 A CN 103973697A CN 201410211088 A CN201410211088 A CN 201410211088A CN 103973697 A CN103973697 A CN 103973697A
- Authority
- CN
- China
- Prior art keywords
- data
- sensing layer
- site detection
- intrusion
- detection data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses an intrusion detecting method of an internet-of-things sensing layer, and relates to a safe detecting method of the internet-of-things sensing layer, in particular to a detecting method for judging whether intrusion behaviors exist in the internet of things by combining the feature detection technique and the abnormal detection technique. In order to solve the problems that the false alarm rate and the omission rate are high and the detection rate is low in the prior art, the method is used for performing intrusion detecting by combining the feature detection technique and the abnormal detection technique. Compared with the prior art, the method has the advantages of being low in false alarm rate and the omission rate, high in detection rate, good in timeliness and the like, and is suitable for the intrusion detection of abnormal behaviors of the internet-of-things sensing layer.
Description
Technical field
The present invention relates to Internet of Things security fields, relate in particular to a kind of intrusion behavior detection method of thing network sensing layer,
Background technology
Internet of Things (Internet of Things, be called for short IoTs) is to be perceived as the thing of core and the interconnected integrated information system of thing, and being described as is the third wave of information industry after computer, the Internet.Internet of Things is very high in the requirement aspect the fail safe of data, especially information Perception layer, if network is invaded, the data of illegal or malice are in sensing layer inflow networking, not only can jeopardize sensing layer data, but also entail dangers to is to the communication layer being attached thereto, and then bring unpredictable infringement to whole global network.Meanwhile, due to the feature reason of thing network sensing layer node self, sensing layer node is that the as easy as rolling off a log intrusion behavior that is subject to is attacked, and it is considerable therefore the Information Security of thing network sensing layer being taked to corresponding safeguard measure.
At present, thing network sensing layer intrusion detection is the stage in starting also, in order to ensure the safety of sensing layer node, to improve the security performance of whole network, has proposed so far a lot of intrusion detection solutions.Be main mainly with feature detection or abnormality detection, wherein, feature detection is that the feature of intrusion behavior is made to deterministic description, form corresponding rule and be aggregated into a feature database, then the data message of collection and feature database are compared, if coupling, so just shows that the behavior is an intrusion behavior.This detection adopts statistical method to detect under normal circumstances, and threshold value in statistical method is effectively determined and is difficult to, and be worth too little a large amount of wrong report that can produce, and value is too large can produce again a large amount of failing to report.Feature detection can detect known intrusion behavior exactly, but helpless really to new invasion.Abnormality detection is in rule base, to be set as normal behavior and detection behavior compares, if matched, thinks that this behavior is legal, if do not mated, thinks that this behavior is illegal.This detection method can detect new intrusion behavior, but also has higher false drop rate problem.
How two kinds of detection method advantages organically being combined, avoid both shortcomings simultaneously, is emphasis of the present invention.Some scholars are also studied the combination of feature detection and abnormality detection technology, but they are the simple two kinds of detection methods that use mostly, and the realization of two kinds of detection techniques separates.Can not get on to overcome two kinds of detection technique defects from essence like this, therefore, propose a kind of new feature detection herein and be combined detection scheme with abnormality detection, in the hope of overcoming the inherent shortcoming of two kinds of detection techniques, made system have higher verification and measurement ratio and lower rate of failing to report.
Meanwhile, thing network sensing layer intrusion detection scheme of today is main mainly with pre-test, that is to say, at present majority has about the discussion of thing network sensing layer intrusion detection and is only to provide a framework, for specifically how realizing detecting fails to determine.
Summary of the invention
For above deficiency of the prior art, the object of the present invention is to provide the thing network sensing layer intrusion detection method that a kind of rate of failing to report is low, verification and measurement ratio is high, technical scheme of the present invention is as follows: a kind of thing network sensing layer intrusion detection method, and it comprises the following steps:
101, initialization, generating a content is empty rule base;
102, thing network sensing layer node adopts transducer to obtain and collect Site Detection data, collected Site Detection data acquisition is formed to normal behaviour collection and intrusion behavior collection with immune genetic algorithm training, and deposit normal behaviour collection and intrusion behavior collection in rule base in step 101 respectively, form training rules storehouse, jump to step 103;
103, in the time that thing network sensing layer node adopts transducer to obtain and collect Site Detection data again, adopt and based on feature detection method, Site Detection data are judged, if the normal behaviour collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 1, Site Detection data are safe, and by obtained Site Detection Data Update in training rules storehouse;
If the intrusion behavior collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 0, Site Detection data are potential safety hazard data, and the potential safety hazard data acquisition obtaining is used based on abnormal detection method and detected, if testing result is 1 again, judge that potential safety hazard data are for detecting wrong report data, pass through and described detection wrong report data feedback is upgraded to training rules storehouse; In the time that testing result is 0 again, show that these potential safety hazard data are for invasion data, the processing of these invasion data being tackled and reported to the police.
Further, the immune genetic algorithm in step 102 comprises the following steps:
A, according to the random initial population of generation of Site Detection data, then to produce initial population carry out the calculating of fitness f
wherein H (i, s) represents the comentropy between certain the single individuality in individual i and autologous S, and in autologous S containing n individual sequence, select the individual inheritance of fitness value f>0.8 wherein in the next generation;
B, simultaneously to the individuality in population intersect, mutation operation;
If the fitness f of C population meets end condition (f>0.8), obtain rule base, continue training if do not meet, obtain training rules storehouse.
Further, the normal behaviour collection in step 102 and intrusion behavior integrate respectively and are expressed as: when Site Detection data are during as A, be normal behaviour; In the time that Site Detection data are B, it is intrusion behavior collection.
Advantage of the present invention and beneficial effect are as follows:
The present invention adopts feature detection techniques to combine with abnormality detection technology, has overcome traditional characteristic detection method and can not detect the defect of unknown intrusion behavior, known intrusion behavior both can have been detected in testing process, unknown intrusion behavior can be detected again; Compared with traditional characteristic detection method or method for detecting abnormality, adopt such scheme to there is rate of false alarm, rate of failing to report is low, verification and measurement ratio is high advantage.Due to the employing of immune genetic algorithm in the production process of rule base, make the inventive method have the advantages that self-learning ability is strong, adaptivity is good.
Brief description of the drawings
Fig. 1 is schematic process flow diagram of the present invention;
Fig. 2 detects schematic block diagram;
Fig. 3 is that rule base generates renewal and workflow detail drawing.
Embodiment
The invention will be further elaborated to provide the embodiment of an indefiniteness below in conjunction with accompanying drawing.
Shown in Fig. 1-Fig. 3, thing network sensing layer intrusion detection method, it comprises the following steps:
101, initialization, generating a content is empty rule base;
102, thing network sensing layer node adopts transducer to obtain and collect Site Detection data (as temperature, humidity etc.), collected Site Detection data acquisition is formed to normal behaviour collection and intrusion behavior collection with immune genetic algorithm training, and deposit normal behaviour collection and intrusion behavior collection in rule base in step 101 respectively, form training rules storehouse, jump to step 103;
103, in the time that thing network sensing layer node adopts transducer to obtain and collect Site Detection data again, adopt and based on feature detection method, Site Detection data are judged, if the normal behaviour collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 1, Site Detection data are safe, and by obtained Site Detection Data Update in training rules storehouse;
If the intrusion behavior collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 0, Site Detection data are potential safety hazard data, and the potential safety hazard data acquisition obtaining is used based on abnormal detection method and detected, if testing result is 1 again, judge that potential safety hazard data are for detecting wrong report data, pass through and described detection wrong report data feedback is upgraded to training rules storehouse; In the time that testing result is 0 again, show that these potential safety hazard data are for invasion data, the processing of these invasion data being tackled and reported to the police.
Preferably, the immune genetic algorithm in step 102 comprises the following steps:
A, according to the random initial population of generation of Site Detection data, then to produce initial population carry out the calculating of fitness f
(wherein H (i, s) represents the comentropy between certain the single individuality in individual i and autologous S, and in autologous S containing n individual sequence, select the individual inheritance of fitness value f>0.8 wherein in the next generation;
B, simultaneously to the individuality in population intersect, mutation operation;
If the fitness f of C population meets end condition (f>0.8), obtain rule base, continue training if do not meet, obtain training rules storehouse.
Normal behaviour collection in step 102 and intrusion behavior integrate respectively and are expressed as: when Site Detection data are during as A, be normal behaviour; In the time that Site Detection data are B, it is intrusion behavior collection.
Embodiment: thing network sensing layer intrusion detection method is mainly made up of sensing layer data collection step, rule base generation and step of updating, intrusion behavior detecting step and response of step, as shown in Figure 1, sensing layer data collection step is responsible for collection and the temporarily storage to data, rule base generates and step of updating is the rule description storehouse generating for feature detection and abnormality detection, and complete self timely, in the generative process of rule base, first random initial population of generation, then the initial population producing is carried out to the calculating of fitness, sequence, select individual inheritance that wherein fitness is high in the next generation, individuality in population is intersected simultaneously, mutation operation is to strengthen ideal adaptation ability, reach and improve population object, finally carry out new population and stop judgement, if the fitness of population meets end condition, obtain rule base, continue training if do not meet, renewal process, by in testing process, the rule base producing before anti-benefit of result obtaining by detection module, reach the effect of real-time update, intrusion behavior detecting step makes a determination to Information Security, simultaneously Feedback Rule storehouse, response of step is, according to intrusion behavior detecting step message, data are made to corresponding processing.
Complete testing process is as shown in following:
As shown in Figure 2, after data are collected by sensing layer data collection step, flow in conjunction with processing in detection module, detecting, first data enter rule base as primary data training formation rule storehouse, and the rule base then forming by the utilization of feature detection module carries out Preliminary detection, now, if testing result is 1, show that data are safe, pass through and by data feedback in rule base, rule base is upgraded in time; If testing result is 0, show that data exist potential safety hazard, data are sent in abnormality detection module and again detected, in the time that testing result is 1 again, show Preliminary detection wrong report, pass through and data feedback rule base is upgraded; In the time that testing result is 0 again, show that these data are for invasion data, in the respond module of directly result being made a gift to someone, data are tackled and make to report to the police and process.
Rule base generation, renewal and working condition, as shown in Figure 3:
1, generate, in the time that system of the present invention is used first, rule base is empty, and data directly form normal behaviour storehouse and intrusion behavior storehouse by immune genetic algorithm effect;
2, upgrade, after the generation of rule base completes, the normal behaviour being drawn by feature detection and abnormality detection, 1 the behavior of being judged to be is for upgrading normal behaviour storehouse, and the intrusion behavior being drawn by abnormality detection upgrades intrusion behavior storehouse;
3, work, the intrusion behavior of describing in rule base and normal behaviour are sent into respectively in feature detection and abnormality detection and are compared, and draw testing result separately.
The present invention is applicable to the intrusion detection of thing network sensing layer abnormal behaviour, use intrusion detection method disclosed in this invention, due to being combined with of feature detection techniques and abnormality detection technology, in intrusion detection process, can reach the effect that rate of false alarm is low, rate of failing to report is low, verification and measurement ratio is high; And unknown intrusion behavior is had to good detectability; There is good adaptive ability simultaneously.
In traditional method, its rate of false alarm is generally in 2% left and right, and the method in the present invention can make rate of false alarm be reduced to below 0.3%.Meanwhile, aspect verification and measurement ratio, can reach more than 99%.
These embodiment are interpreted as being only not used in and limiting the scope of the invention for the present invention is described above.After having read the content of record of the present invention, technical staff can make various changes or modifications the present invention, and these equivalences change and modification falls into the inventive method claim limited range equally.
Claims (3)
1. a thing network sensing layer intrusion detection method, is characterized in that comprising the following steps:
101, initialization, generating a content is empty rule base;
102, thing network sensing layer node adopts transducer to obtain and collect Site Detection data, collected Site Detection data acquisition is formed to normal behaviour collection and intrusion behavior collection with immune genetic algorithm training, and deposit normal behaviour collection and intrusion behavior collection in rule base in step 101 respectively, form training rules storehouse, jump to step 103;
103, in the time that thing network sensing layer node adopts transducer to obtain and collect Site Detection data again, adopt and based on feature detection method, Site Detection data are judged, if the normal behaviour collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 1, Site Detection data are safe, and by obtained Site Detection Data Update in training rules storehouse;
If the intrusion behavior collection in the training rules storehouse in Site Detection data fit step 102, judge that testing result is 0, Site Detection data are potential safety hazard data, and the potential safety hazard data acquisition obtaining is used based on abnormal detection method and detected, if testing result is 1 again, judge that potential safety hazard data are for detecting wrong report data, pass through and described detection wrong report data feedback is upgraded to training rules storehouse; In the time that testing result is 0 again, show that these potential safety hazard data are for invasion data, the processing of these invasion data being tackled and reported to the police.
2. thing network sensing layer intrusion detection method according to claim 1, is characterized in that: the immune genetic algorithm in step 102 comprises the following steps:
A, according to the random initial population of generation of Site Detection data, then to produce initial population carry out the calculating of fitness f
wherein H (i, s) represents the comentropy between certain the single individuality in individual i and autologous S, and in autologous S containing n individual sequence, select the individual inheritance of fitness value f>0.8 wherein in the next generation;
B, simultaneously to the individuality in population intersect, mutation operation;
If the fitness f of C population meets end condition f>0.8, obtain rule base, continue training if do not meet, obtain training rules storehouse.
3. thing network sensing layer intrusion detection method according to claim 1, is characterized in that: the normal behaviour collection in step 102 and intrusion behavior integrate respectively and be expressed as: when Site Detection data are during as A, be normal behaviour; In the time that Site Detection data are B, it is intrusion behavior collection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410211088.1A CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410211088.1A CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103973697A true CN103973697A (en) | 2014-08-06 |
CN103973697B CN103973697B (en) | 2017-03-29 |
Family
ID=51242743
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410211088.1A Active CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103973697B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104601556A (en) * | 2014-12-30 | 2015-05-06 | 中国科学院信息工程研究所 | Attack detection method and system for WEB |
CN106603546A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | IOT invasion monitoring method and device |
CN106789904A (en) * | 2016-11-23 | 2017-05-31 | 北京邮电大学 | Internet of things intrusion detection method and device |
CN107222491A (en) * | 2017-06-22 | 2017-09-29 | 北京工业大学 | A kind of inbreak detection rule creation method based on industrial control network mutation attacks |
CN107705233A (en) * | 2016-08-08 | 2018-02-16 | Tcl集团股份有限公司 | Experience the abnormality processing system perceived and its method |
CN108989338A (en) * | 2018-08-20 | 2018-12-11 | 常州信息职业技术学院 | A kind of Internet of Things information prevents the immune system and its method of invasion |
CN109347870A (en) * | 2018-11-29 | 2019-02-15 | 广州大学 | A kind of Active Defending System Against method and method based on biological immune |
WO2019192366A1 (en) * | 2018-04-04 | 2019-10-10 | 电信科学技术研究院有限公司 | Method and device for managing and controlling terminal ue |
CN113630478A (en) * | 2021-10-11 | 2021-11-09 | 山东美欣医疗科技有限公司 | Dynamic monitoring system and method for multi-perception Internet of things |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
US20120204265A1 (en) * | 2002-03-08 | 2012-08-09 | Mcafee, Inc. | Systems and Methods For Message Threat Management |
-
2014
- 2014-05-19 CN CN201410211088.1A patent/CN103973697B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120204265A1 (en) * | 2002-03-08 | 2012-08-09 | Mcafee, Inc. | Systems and Methods For Message Threat Management |
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
Non-Patent Citations (1)
Title |
---|
孙云等: "一种混合式网络入侵检测系统", 《计算机工程》 * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104601556A (en) * | 2014-12-30 | 2015-05-06 | 中国科学院信息工程研究所 | Attack detection method and system for WEB |
CN104601556B (en) * | 2014-12-30 | 2017-12-26 | 中国科学院信息工程研究所 | A kind of attack detection method and system towards WEB |
CN107705233A (en) * | 2016-08-08 | 2018-02-16 | Tcl集团股份有限公司 | Experience the abnormality processing system perceived and its method |
CN107705233B (en) * | 2016-08-08 | 2022-04-01 | Tcl科技集团股份有限公司 | Experience-aware exception handling system and method thereof |
CN106789904B (en) * | 2016-11-23 | 2019-10-25 | 北京邮电大学 | Internet of Things intrusion detection method and device |
CN106789904A (en) * | 2016-11-23 | 2017-05-31 | 北京邮电大学 | Internet of things intrusion detection method and device |
CN106603546A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | IOT invasion monitoring method and device |
CN107222491A (en) * | 2017-06-22 | 2017-09-29 | 北京工业大学 | A kind of inbreak detection rule creation method based on industrial control network mutation attacks |
CN107222491B (en) * | 2017-06-22 | 2021-01-05 | 北京工业大学 | Intrusion detection rule creating method based on industrial control network variant attack |
WO2019192366A1 (en) * | 2018-04-04 | 2019-10-10 | 电信科学技术研究院有限公司 | Method and device for managing and controlling terminal ue |
US11206541B2 (en) | 2018-04-04 | 2021-12-21 | Datang Mobile Communications Equipment Co., Ltd. | Method and device for managing and controlling terminal UE |
CN108989338A (en) * | 2018-08-20 | 2018-12-11 | 常州信息职业技术学院 | A kind of Internet of Things information prevents the immune system and its method of invasion |
CN109347870A (en) * | 2018-11-29 | 2019-02-15 | 广州大学 | A kind of Active Defending System Against method and method based on biological immune |
CN109347870B (en) * | 2018-11-29 | 2022-01-14 | 广州大学 | Active defense system method and method based on biological immunity |
CN113630478A (en) * | 2021-10-11 | 2021-11-09 | 山东美欣医疗科技有限公司 | Dynamic monitoring system and method for multi-perception Internet of things |
Also Published As
Publication number | Publication date |
---|---|
CN103973697B (en) | 2017-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103973697A (en) | Intrusion detecting method of internet-of-things sensing layer | |
TWI696124B (en) | Model integration method and device | |
CN103077347B (en) | A kind of hybrid intrusion detection method based on improving the fusion of kernel vector machine data | |
CN101718634B (en) | Equipment state comprehensive dynamic alarming method based on multivariate probability model | |
CN110177108A (en) | A kind of anomaly detection method, device and verifying system | |
CN103533571B (en) | Fault-tolerant event detecting method based on temporal voting strategy | |
CN103581186A (en) | Network security situation awareness method and system | |
EP3364157A1 (en) | Method and system of outlier detection in energy metering data | |
CN104318347A (en) | Power transmission line icing state assessment method based on information fusion of multiple sensors | |
CN106789904A (en) | Internet of things intrusion detection method and device | |
CN104267346A (en) | Remote fault diagnosis method of generator excitation system | |
CN103605992A (en) | Sensitive image recognizing method in interaction of inner and outer power networks | |
CN102592093A (en) | Host machine intrusion detection method based on biological immune mechanism | |
CN101499928A (en) | Network intrusion scene chart generation method based on cluster analysis | |
CN110022293A (en) | A kind of electric network information physics emerging system methods of risk assessment | |
Zhang et al. | Real-time burst detection based on multiple features of pressure data | |
CN110337640A (en) | Method and system for problem alert polymerization | |
CN105786635B (en) | A kind of Complex event processing system and method towards Fault-Sensitive point dynamic detection | |
CN111080005B (en) | Support vector machine-based public security risk early warning method and system | |
CN110266527A (en) | Sensor node failure modes alarm method and device based on spatial coherence | |
CN108536980B (en) | Gas detector discrete site selection optimization method considering reliability factor | |
CN116628554A (en) | Industrial Internet data anomaly detection method, system and equipment | |
CN103475527B (en) | Network management fault reliability analyzing system and method | |
Xiangdong et al. | Application of fuzzy data fusion in multi-sensor fire monitoring | |
CN106548191B (en) | Continuous process fault detection method based on collection nucleation locality preserving projections |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |