CN111614614B - Safety monitoring method and device applied to Internet of things - Google Patents

Safety monitoring method and device applied to Internet of things Download PDF

Info

Publication number
CN111614614B
CN111614614B CN202010292015.5A CN202010292015A CN111614614B CN 111614614 B CN111614614 B CN 111614614B CN 202010292015 A CN202010292015 A CN 202010292015A CN 111614614 B CN111614614 B CN 111614614B
Authority
CN
China
Prior art keywords
intranet
behavior
information
same type
effective
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010292015.5A
Other languages
Chinese (zh)
Other versions
CN111614614A (en
Inventor
郑霖
代维
林育民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
River Security Inc
Original Assignee
River Security Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by River Security Inc filed Critical River Security Inc
Priority to CN202010292015.5A priority Critical patent/CN111614614B/en
Publication of CN111614614A publication Critical patent/CN111614614A/en
Application granted granted Critical
Publication of CN111614614B publication Critical patent/CN111614614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Business, Economics & Management (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a safety monitoring method and a safety monitoring device applied to the Internet of things, wherein the method comprises the following steps: the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet; integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information; and based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior. This application can carry out safety monitoring to the intranet, improves the security.

Description

Safety monitoring method and device applied to Internet of things
[ technical field ] A method for producing a semiconductor device
The application relates to the technical field of computer networks, in particular to a security monitoring method, a security monitoring device, security monitoring equipment and a computer storage medium applied to the Internet of things.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet of Things (IoT) is an information carrier based on The Internet, traditional telecommunication networks, etc. that allows all common physical objects that can be addressed independently to form an inter-working network. With the development of internet of things Technology, more and more enterprises deploy more internet of things devices in an intranet (i.e., a local area network) for manufacturing and production processes and enterprise production management, the environment of the enterprise intranet becomes increasingly complex, and IT (Information Technology) and OT (Operation Technology) are fused with each other, which also brings more security management difficulty and threat hidden danger to the security of the enterprise intranet.
[ summary of the invention ]
In view of this, the present application provides a security monitoring method, apparatus, device and computer storage medium applied to the internet of things, so as to perform security monitoring on an intranet and improve security.
The specific technical scheme is as follows:
in a first aspect, the present application provides a security monitoring method applied to the internet of things, including:
the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet;
integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information;
and based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior.
According to a preferred embodiment of the present application, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
According to a preferred embodiment of the present application, the integrating traffic behavior information of intranets belonging to the same type includes:
and carrying out data cleaning and normalization processing on the flow behavior information of the internal networks belonging to the same type.
According to a preferred embodiment of the present application, the extracting effective behavior features from the data includes:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, identifying, based on the effective behavior characteristics, an intranet in which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the same type of intranet exceeds a preset threshold as an intranet with abnormal network behavior includes:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
According to a preferred embodiment of the present application, before integrating traffic behavior information of intranets belonging to the same type, the method further includes:
judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not;
and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
In a second aspect, the present application further provides a security monitoring device applied to the internet of things, which is disposed on the threat sensing platform and includes:
the collecting unit is used for collecting flow behavior information collected by an internet of things gateway arranged in an intranet;
the integration unit is used for integrating the flow behavior information of the internal networks belonging to the same type;
and the first identification unit is used for extracting effective behavior characteristics from the integrated flow behavior information, and identifying the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than a preset threshold value as the intranet with abnormal network behavior based on the effective behavior characteristics.
According to a preferred embodiment of the present application, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
According to a preferred embodiment of the present application, the integration unit is specifically configured to perform data cleaning and normalization processing on traffic behavior information belonging to the same type of intranet.
According to a preferred embodiment of the present application, when extracting the effective behavior feature, the first identifying unit specifically performs:
and inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics.
According to a preferred embodiment of the present application, the first identification unit specifically executes, when identifying, as an intranet with abnormal network behavior, an intranet whose effective behavior characteristic deviates from a baseline behavior characteristic of the intranet of the same type by more than a preset threshold based on the effective behavior characteristic:
inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet;
and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
According to a preferred embodiment of the present application, the apparatus further comprises:
the second identification unit is used for judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not before the integration unit integrates the flow behavior information of the intranet belonging to the same type; and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
In a third aspect, the present application further provides an apparatus, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method as in any above.
In a fourth aspect, the present application also provides a storage medium containing computer-executable instructions for performing the method as described in any one of the above when executed by a computer processor.
According to the technical scheme, the safety detection method of the Internet of things can be used for carrying out safety monitoring on the abnormal Internet of things terminal and improving safety.
[ description of the drawings ]
Fig. 1 illustrates an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which embodiments of the present invention may be applied;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of an exemplary embodiment of an encoder-decoder;
fig. 4 is a structural diagram of a safety inspection device according to an embodiment of the present application;
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 shows an exemplary system architecture of a security monitoring method or apparatus of the internet of things to which an embodiment of the present invention can be applied.
As shown in fig. 1, the system architecture may include an intranet, an internet of things gateway, an extranet server, and a threat awareness platform. The intranet is a private network, can be a local area network set by an enterprise, a school, a factory and the like generally, can contain equipment such as an internet of things terminal, a computer terminal and an intranet server in the intranet, and is also provided with an internet of things gateway in the application, wherein the internet of things gateway is responsible for data exchange between intranet subnets.
The extranet can be the internet, and equipment in the intranet interacts with an extranet server through the internet. Various applications such as voice interaction applications, web browser applications, communication applications and the like can be installed on the internet of things terminal and the computer terminal.
The internet of things terminal can include, but is not limited to, smart home devices, smart wearable devices, smart transportation devices, smart environment monitoring devices, smart office devices, and the like. The threat awareness platform provided by the invention can be arranged and operated in an extranet server. It may be implemented as a plurality of software or software modules (for example, for providing distributed services), or as a single software or software module, which is not specifically limited herein. The extranet server may be a single server or a server group including a plurality of servers.
It should be understood that the number of intranet, internet of things terminal, computer terminal, network and server in fig. 1 is merely illustrative. According to the implementation requirement, any number of internal networks, internet of things terminals, computer terminals, networks and servers can be provided.
Fig. 2 is a flowchart of a method provided by an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in 201, the threat awareness platform collects traffic behavior information collected by an internet of things gateway disposed in an intranet.
In the embodiment of the application, a program responsible for monitoring and acquiring traffic behavior information can be compiled for the internet of things gateways arranged in each intranet, and the program is embedded and operated in the internet of things gateways. The program can reside in a system of an internet of things gateway, and continuously monitors and acquires flow behavior information generated by an intranet.
The traffic behavior information may include one or any combination of communication quintuple information, protocol type information, network instruction information, network data payload information, time when the traffic behavior occurs, and the like.
The communication quintuple information may include: protocol of the traffic, source address, destination address, source port and destination port information.
The protocol type information may be a protocol adopted by network instructions or network data transmitted via the gateway of the internet of things, such as HTTP, FTP, VOIP, and the like. For different types of networks, especially for special purpose networks, the protocol type also serves as one of the traffic network behavior information to be monitored, because the protocol behavior may be different.
The network instruction information may be information such as the type and content of a network instruction transmitted via the gateway of the internet of things.
The network data payload information may be information such as payload content or a hash value of the payload of the network data transmitted via the gateway of the internet of things.
The time when the traffic behavior occurs may be time information of the network behavior information acquired through the gateway of the internet of things.
The internet of things gateway can send the collected flow behavior information to the threat sensing platform through an external network in a streaming or periodic mode, and the flow behavior information is collected and stored by the threat sensing platform.
At 202, traffic behavior information of the same type of intranet is integrated and effective behavior features are extracted therefrom.
The type of intranet may be an enterprise intranet, an industrial control intranet, a school intranet, or the like. Generally, there is a certain difference in network behaviors generated by different types of intranets on traffic, but the same type of intranet should have more consistent behavior characteristics on the network behaviors generated by traffic. When the network behavior characteristics of some or some intranet deviate from the baseline, the possibility of being invaded is high. The application is a technical scheme based on the core idea.
After the threat perception platform collects the flow behavior information collected by each internet of things gateway, the flow behavior information belonging to the same type of intranet can be subjected to data cleaning and normalization processing during integration. The data cleaning can filter out traffic behavior information with data missing, invalid traffic behavior information and the like, so that the left traffic behavior information is valid.
In general, when the industry performs anomaly identification of an intranet, a clustering method such as K-Means is generally adopted, but the method mostly depends on manual experience when a threshold is selected, so that misjudgment is caused, and the accuracy is low.
The method and the device adopt a more intelligent neural network-based automatic encoder algorithm to realize unsupervised anomaly detection. When the effective behavior feature is extracted, the vector representation of the flow behavior information of the intranet may be input to the self-encoder to be subjected to the dimensionality reduction processing, and the obtained vector representation may be used as the vector representation of the effective behavior feature.
After the flow behavior information of the intranet is normalized, vector representation formed by the flow behavior information of the intranet can be obtained through mapping, and the dimensionality represented by the vector is consistent with the type number of the flow behavior information of the intranet. For example, thirty kinds of traffic behavior information are collected for each intranet, and the traffic behavior information of one intranet can be represented as a thirty-dimensional vector. As shown in fig. 3, the vector representation is input to a self-encoder formed by a multi-layer neural network to reduce the dimension of the multidimensional vector representation of the intranet, for example, to reduce a thirty-dimensional vector such as communication quintuple information, protocol type information, network command information, network data payload information, and time when traffic behavior occurs to five dimensions. In the process, the multilayer neural network automatically learns effective behavior characteristics, and the effective behavior characteristics are obtained by the five-dimensional vector obtained by dimension reduction. That is to say, flow behavior information of five dimensions is automatically learned from a thirty-dimensional vector, and behavior features represented by the flow behavior information are effective behavior features. Wherein the thirty and five dimensions are only those listed in the present application, but the present application is not limited to the specific dimensions.
In 203, based on the effective behavior features, the intranet of which the degree of deviation of the effective behavior features from the baseline behavior features of the same type of intranet exceeds a preset threshold is identified as the intranet with abnormal network behavior.
In this step, the vector representation of the effective behavior characteristics can be input into a decoder formed by a multilayer neural network for dimension increasing processing, and then the difference degree between the vector representation obtained by the dimension increasing processing and the vector representation of the flow behavior information of the intranet before dimension reduction is determined; and identifying the inner networks with the difference degrees exceeding a preset threshold value in the same type of inner networks as the inner networks with abnormal network behaviors. For example, as shown in fig. 3, the five-dimensional vector obtained after dimensionality reduction is raised back to thirty-dimensional by a decoder formed by a multilayer neural network, and the thirty-dimensional vector is compared with the thirty-dimensional vector before the initial dimensionality reduction to determine the degree of difference. The difference degree can be determined for all the internal networks of the same type, and the difference degrees of the internal networks of the same type are averaged. If the difference degree of a certain intranet deviates from the average value and exceeds a preset threshold value, the intranet is identified as the intranet with abnormal network behavior.
That is, the vector representation obtained by the dimension reduction processing is restored. For the learned effective behavior features to be the features capable of reflecting the flow behavior of the intranet most, based on an ideal condition, the difference between the vector before dimensionality reduction and the vector after restoration should be within a normal range, and the normal range is the difference degree basically reflected by the same type of intranet. If the front and back vector errors of a certain intranet deviate from the normal range, the intranet can be considered as the intranet with abnormal network behavior, and the intranet can be invaded.
In the method, the effective behavior characteristics are obtained through self-learning of the multilayer neural network, the characteristic threshold does not need to be set manually, the algorithm based on the self-coding can greatly reduce misjudgment caused by manually selecting the characteristic threshold by the clustering algorithm, and the efficiency is higher.
For the identified intranet with the network behavior abnormality, the threat awareness platform may send an abnormality notification to the administrator, where the abnormality notification may include intranet information with the network behavior abnormality, such as information of an ID, a location, a type, and the like of the intranet, and may further include traffic behavior information of the intranet. The exception notification may be provided to the administrator visually, for example, through a system interface, or may be sent to a terminal of the administrator. Through innovation on the intranet safety monitoring technology, the enterprise safety team can more effectively discover threats and respond in time.
Further, before performing step 202, it may be first determined whether the traffic behavior information of the intranet contains known malicious characteristic behaviors, and if so, the intranet containing the known malicious characteristic behaviors may be identified as the intranet with abnormal network behaviors. The known malicious characteristic behaviors can be manually configured according to experience, can also be known malicious characteristic behaviors accurately identified by other modes, and can also be characteristic behaviors obtained by performing behavior characteristic analysis on an intranet with abnormal network behaviors, which is identified by the mode provided by the embodiment of the application.
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 4 is a structural diagram of a security detection apparatus according to an embodiment of the present application, and as shown in fig. 4, the apparatus is disposed on a threat awareness platform in the foregoing method to implement the functions of the security awareness platform. The method specifically comprises the following steps: the collecting unit 01, the integrating unit 02 and the first identifying unit 03, and may further include a second identifying unit 04. The main functions of each component unit are as follows:
the collection unit 01 is responsible for collecting traffic behavior information collected by the internet of things gateway arranged in the intranet.
Wherein, the traffic behavior information includes one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
The integration unit 02 is responsible for integrating traffic behavior information of the same type of intranet. Specifically, the integration unit 02 may perform data cleaning and normalization processing on the traffic behavior information belonging to the same type of intranet.
The first identification unit 03 is responsible for extracting effective behavior features from the integrated flow behavior information, and based on the effective behavior features, identifies the intranet of which the degree of deviation of the effective behavior features from the baseline behavior features of the same type of intranet exceeds a preset threshold as the intranet with abnormal network behavior.
As a preferred embodiment, when extracting the effective behavior feature, the first identifying unit 03 may input a vector representation of the traffic behavior information of the intranet to the encoder to perform the dimension reduction processing, and may use the obtained vector representation as a vector representation of the effective behavior feature.
When the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than the preset threshold is identified as the intranet with abnormal network behavior based on the effective behavior characteristics, the first identification unit 03 may input the vector representation of the effective behavior characteristics into a decoder for performing dimension-increasing processing, and determine the difference degree between the vector representation obtained by the dimension-increasing processing and the vector representation of the flow behavior information of the intranet; and identifying the internal network with the difference degree in the same type of internal network, wherein the average difference value of the internal networks exceeds a preset threshold value, as the internal network with abnormal network behavior.
Before the integration unit 02 integrates the traffic behavior information of the internal networks belonging to the same type, the second identification unit 04 judges whether the traffic behavior information of the internal networks contains known malicious characteristic behaviors; and identifying the internal network containing the known malicious characteristic behaviors as the internal network with abnormal network behaviors.
The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the unit is only a logical division, and other divisions may be realized in practice. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
FIG. 5 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention. The computer system/server 012 shown in fig. 5 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 5, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Bus 018 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
System memory 028 can include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)030 and/or cache memory 032. The computer system/server 012 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 034 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be connected to bus 018 via one or more data media interfaces. Memory 028 can include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the present invention.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 5, other hardware and/or software modules may be used in conjunction with computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A safety monitoring method applied to the Internet of things is characterized by comprising the following steps:
the threat sensing platform collects flow behavior information collected by an internet of things gateway arranged in an intranet;
integrating the flow behavior information of the internal networks belonging to the same type and extracting effective behavior characteristics from the flow behavior information; wherein, the integrating the traffic behavior information of the internal networks belonging to the same type comprises: carrying out data cleaning and normalization processing on the flow behavior information of the internal networks belonging to the same type;
based on the effective behavior characteristics, identifying the intranet of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold as the intranet with abnormal network behavior;
wherein the extracting effective behavior features from the data comprises: inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics;
based on the effective behavior characteristics, identifying the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than a preset threshold as the intranet with abnormal network behavior comprises: inputting the vector representation of the effective behavior characteristics into a decoder for dimensionality enhancement processing, and determining the difference degree between the vector representation obtained by the dimensionality enhancement processing and the vector representation of the flow behavior information of the intranet; and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
2. The method of claim 1, wherein the traffic behavior information comprises one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
3. The method according to claim 1, further comprising, before the integrating traffic behavior information of intranets belonging to the same type:
judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not;
and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
4. The utility model provides a be applied to safety monitoring device of thing networking, its characterized in that, the device sets up in threat perception platform, includes:
the collecting unit is used for collecting flow behavior information collected by an internet of things gateway arranged in an intranet;
the system comprises an integration unit, a data processing unit and a processing unit, wherein the integration unit is used for integrating the flow behavior information of the internal networks belonging to the same type, and is specifically used for carrying out data cleaning and normalization processing on the flow behavior information of the internal networks belonging to the same type;
the first identification unit is used for extracting effective behavior characteristics from the integrated flow behavior information, and identifying the intranet with the effective behavior characteristics deviating from the baseline behavior characteristics of the intranet of the same type by more than a preset threshold value as the intranet with abnormal network behavior based on the effective behavior characteristics;
wherein, when extracting the effective behavior feature, the first identification unit specifically executes: inputting the vector representation of the flow behavior information of the intranet into a self-encoder for dimension reduction processing, and taking the obtained vector representation as the vector representation of the effective behavior characteristics;
the first identification unit specifically executes the following steps when the intranet, of which the degree of deviation of the effective behavior characteristics from the baseline behavior characteristics of the intranet of the same type exceeds a preset threshold value, is identified as the intranet with abnormal network behavior based on the effective behavior characteristics: inputting the vector representation of the effective behavior characteristics into a decoder for dimension-increasing processing, and determining the difference degree between the vector representation obtained by dimension-increasing processing and the vector representation of the flow behavior information of the intranet; and identifying the inner networks with the difference degrees exceeding a preset threshold value in the inner networks of the same type as the inner networks with abnormal network behaviors.
5. The apparatus of claim 4, wherein the traffic behavior information comprises one or any combination of the following:
communication quintuple information, protocol type information, network instruction information, network data payload information, and time at which traffic behavior occurs.
6. The apparatus of claim 4, further comprising:
the second identification unit is used for judging whether the flow behavior information of the intranet contains known malicious characteristic behaviors or not before the integration unit integrates the flow behavior information of the intranet belonging to the same type; and identifying the intranet containing known malicious characteristic behaviors as the intranet with abnormal network behaviors.
7. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-3.
8. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-3 when executed by a computer processor.
CN202010292015.5A 2020-04-14 2020-04-14 Safety monitoring method and device applied to Internet of things Active CN111614614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010292015.5A CN111614614B (en) 2020-04-14 2020-04-14 Safety monitoring method and device applied to Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010292015.5A CN111614614B (en) 2020-04-14 2020-04-14 Safety monitoring method and device applied to Internet of things

Publications (2)

Publication Number Publication Date
CN111614614A CN111614614A (en) 2020-09-01
CN111614614B true CN111614614B (en) 2022-08-05

Family

ID=72203681

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010292015.5A Active CN111614614B (en) 2020-04-14 2020-04-14 Safety monitoring method and device applied to Internet of things

Country Status (1)

Country Link
CN (1) CN111614614B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364739B (en) * 2021-05-13 2022-05-13 北京亚鸿世纪科技发展有限公司 Method and system for identifying abnormal flow of Internet of things equipment
CN113705714A (en) * 2021-09-03 2021-11-26 上海观安信息技术股份有限公司 Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795709A (en) * 2013-12-27 2014-05-14 北京天融信软件有限公司 Network security detection method and system
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN109359686A (en) * 2018-10-18 2019-02-19 西安交通大学 A kind of user's portrait method and system based on Campus Network Traffic
CN109600363A (en) * 2018-11-28 2019-04-09 南京财经大学 A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11774944B2 (en) * 2016-05-09 2023-10-03 Strong Force Iot Portfolio 2016, Llc Methods and systems for the industrial internet of things
CN109962903B (en) * 2017-12-26 2022-01-28 中移(杭州)信息技术有限公司 Home gateway security monitoring method, device, system and medium
CN110392032B (en) * 2018-04-23 2021-03-30 华为技术有限公司 Method, device and storage medium for detecting abnormal URL
CN109040141B (en) * 2018-10-17 2019-11-12 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN110033014A (en) * 2019-01-08 2019-07-19 阿里巴巴集团控股有限公司 The detection method and its system of abnormal data
CN110807518A (en) * 2019-11-06 2020-02-18 国网山东省电力公司威海供电公司 Outlier detection method for power grid data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795709A (en) * 2013-12-27 2014-05-14 北京天融信软件有限公司 Network security detection method and system
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN109359686A (en) * 2018-10-18 2019-02-19 西安交通大学 A kind of user's portrait method and system based on Campus Network Traffic
CN109600363A (en) * 2018-11-28 2019-04-09 南京财经大学 A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method

Also Published As

Publication number Publication date
CN111614614A (en) 2020-09-01

Similar Documents

Publication Publication Date Title
US9251345B2 (en) Detecting malicious use of computer resources by tasks running on a computer system
CN112953971B (en) Network security flow intrusion detection method and system
EP3272097B1 (en) Forensic analysis
CN111614614B (en) Safety monitoring method and device applied to Internet of things
CN111585799A (en) Network fault prediction model establishing method and device
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
US20170149800A1 (en) System and method for information security management based on application level log analysis
WO2019084072A1 (en) A graph model for alert interpretation in enterprise security system
CN112839014B (en) Method, system, equipment and medium for establishing abnormal visitor identification model
CN111885033A (en) Machine learning scene detection method and system based on multi-source safety detection framework
CN111708687B (en) Equipment abnormality index determination method, device, equipment and storage medium
CN113468530A (en) Real-time risk management safety monitoring method based on cloud computing
CN113472803A (en) Vulnerability attack state detection method and device, computer equipment and storage medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN115034596A (en) Risk conduction prediction method, device, equipment and medium
CN108804914A (en) A kind of method and device of anomaly data detection
CN113132393A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN111865958B (en) Detection method and system based on multi-source safety detection framework
CN111565377B (en) Security monitoring method and device applied to Internet of things
CN111865959B (en) Detection method and device based on multi-source safety detection framework
CN112822683B (en) Method for detecting illegal external connection by using mobile network
CN114915446A (en) Intelligent network security detection method fusing priori knowledge
CN114707144A (en) Virtual machine escape behavior detection method and device
CN114844691B (en) Data processing method and device, electronic equipment and storage medium
CN116886452B (en) Method and system for judging host computer collapse

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant