CN111865923A - Method, system, device and medium for identifying abnormal behavior of Internet of things card - Google Patents
Method, system, device and medium for identifying abnormal behavior of Internet of things card Download PDFInfo
- Publication number
- CN111865923A CN111865923A CN202010579518.0A CN202010579518A CN111865923A CN 111865923 A CN111865923 A CN 111865923A CN 202010579518 A CN202010579518 A CN 202010579518A CN 111865923 A CN111865923 A CN 111865923A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- card
- identifying
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method, a system, a device and a medium for identifying abnormal behaviors of an Internet of things card, wherein the method comprises the following steps: obtaining XDR ticket data; extracting the characteristics of the Internet of things card from the XDR ticket data; identifying the Internet of things card service and the Internet of things card terminal according to the characteristics of the Internet of things card; acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal; and identifying the abnormal behavior of the number of the Internet of things according to the number traffic characteristic set of the Internet of things. The invention carries out abnormity detection based on the Internet of things network card service and the Internet of things network card terminal, can identify the abnormity conditions of various Internet of things networks, and widens the application range of abnormity identification; in addition, the method does not need to manually mark data, improves the identification precision, and can be widely applied to the technical field of the Internet of things.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method, a system, a device and a medium for identifying abnormal behaviors of an Internet of things card.
Background
With the development of communication technology, the internet of things card and the 5G technology are applied in a large scale, but the characteristics that individual users use the internet of things card to have low cost, no real name system and the like exist, and illegal use is carried out on the internet of things card. Therefore, the identification of the abnormal behavior of the Internet of things card has important significance for standardizing the use of the Internet of things card.
The existing identification schemes for the abnormal behaviors of the Internet of things card have the defects of low identification precision, narrow application range, incapability of identifying real use equipment of the Internet of things card and the like, and cannot be directly deployed to the existing network for use.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, a system, an apparatus, and a medium for identifying an abnormal behavior of an internet of things card, which have a wide application range and high accuracy.
The first aspect of the invention provides a method for identifying abnormal behaviors of an internet of things card, which comprises the following steps:
obtaining XDR ticket data;
extracting the characteristics of the Internet of things card from the XDR ticket data;
identifying the Internet of things card service and the Internet of things card terminal according to the characteristics of the Internet of things card;
acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal;
and identifying the abnormal behavior of the number of the Internet of things according to the number traffic characteristic set of the Internet of things.
In some embodiments, the obtaining XDR ticket data includes:
acquiring a user signaling corresponding to an Internet of things number; the user signaling comprises a source address IP, a destination address IP, a port number and a protocol type;
and processing the user signaling by adopting a DPI technology to obtain XDR ticket data of the user of the Internet of things.
In some embodiments, in the step of extracting the internet of things card feature from the XDR ticket data, the internet of things card feature includes an internet of things number, an international mobile equipment identity, a protocol, a source address IP, a source address port, a destination address IP, a destination address port, a network access point name, a uniform resource locator, an incoming connection, and a user agent.
In some embodiments, the identifying the internet of things card service and the internet of things card terminal according to the characteristics of the internet of things card includes:
for each data flow in the XDR ticket data: matching the characteristics of the Internet of things card with a service identification rule in a pre-established DPI service identification characteristic library to generate an identification result of the Internet of things card service;
the identification result of the Internet of things network card service comprises a service classification, a service name, a service action and a company affiliation;
matching the characteristics of the Internet of things card with a regular expression in a pre-established terminal characteristic library, and extracting the model of the mobile terminal;
and identifying the model of the terminal equipment according to the model of the mobile terminal.
In some embodiments, the obtaining of the internet of things number flow feature set according to the identified internet of things network card terminal includes:
According to the Internet of things card terminal, counting flow characteristics corresponding to the number generating the business flow of the Internet of things;
the traffic characteristics comprise internet of things traffic, non-internet of things traffic, internet of things traffic proportion, non-internet of things traffic proportion, internet of things traffic number, non-internet of things traffic number, internet of things traffic usage days, non-internet of things traffic usage days, 2/3G total traffic and 4G total traffic.
In some embodiments, the identifying, according to the internet of things number traffic feature set, an abnormal behavior of an internet of things number includes:
inputting the flow characteristics into a pre-trained self-encoder;
calculating a reconstruction error of the flow characteristic of each Internet of things number through the automatic encoder;
and when the reconstruction error is larger than a threshold value, determining that the corresponding Internet of things number is the Internet of things number suspected of abnormal use behavior.
In some embodiments, the calculating, by the auto-encoder, a reconstruction error of the traffic characteristics of each internet of things number includes:
calculating an output result of the encoder according to the input flow characteristics;
calculating an output result of the decoder according to an output result of the encoder;
and calculating the Euclidean distance between the output result of the decoder and the input flow characteristic, and determining a reconstruction error.
The second aspect of the present invention provides a system for identifying an abnormal behavior of an internet of things card, including:
the acquisition module is used for acquiring XDR ticket data;
the Internet of things card feature extraction module is used for extracting Internet of things card features from the XDR ticket data;
the business identification module is used for identifying the Internet of things network card business and the Internet of things network card terminal according to the characteristics of the Internet of things network card;
the flow characteristic acquisition module is used for acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal;
and the abnormality identification module is used for identifying the abnormal behavior of the Internet of things number according to the Internet of things number flow characteristic set.
A third aspect of the invention provides an apparatus comprising a processor and a memory;
the memory is used for storing programs;
the processor is adapted to perform the method according to the first aspect of the invention according to the program.
A fourth aspect of the invention provides a storage medium storing a program for execution by a processor to perform the method according to the first aspect of the invention.
The embodiment of the invention extracts the characteristics of the Internet of things card from XDR ticket data; then identifying the Internet of things card service and the Internet of things card terminal according to the characteristics of the Internet of things card; then, acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal; and finally, identifying the abnormal behavior of the number of the Internet of things according to the number traffic characteristic set of the Internet of things. The invention carries out abnormity detection based on the Internet of things network card service and the Internet of things network card terminal, can identify the abnormity conditions of various Internet of things networks, and widens the application range of abnormity identification; in addition, the invention does not need to manually mark data, thereby improving the identification precision.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart illustrating steps according to an embodiment of the present invention.
Detailed Description
The invention will be further explained and explained with reference to the drawings and the embodiments in the description. The step numbers in the embodiments of the present invention are set for convenience of illustration only, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adaptively adjusted according to the understanding of those skilled in the art.
The existing identification schemes for the abnormal behaviors of the Internet of things card have the defects of low identification precision, narrow application range, incapability of identifying real use equipment of the Internet of things card and the like, and cannot be directly deployed to the existing network for use. In order to solve the problems in the prior art, the invention provides a method for identifying abnormal behaviors of an Internet of things card based on signaling. The method is based on XDR ticket data, realizes Internet of things network card service identification by integrating a plurality of dimensional characteristics through a DPI technology, establishes an abnormal behavior identification model based on a service identification result, and outputs the number of the Internet of things which is suspected to be abnormally used.
Referring to fig. 1, the method for identifying the abnormal behavior of the internet of things card of the invention comprises the following steps:
s1, obtaining XDR ticket data; XDR (X of delayed record) refers to the Detailed call ticket of all the signaling of user's surfing the Internet.
Step S1 of the present embodiment includes S11 and S12:
s11, collecting user signaling corresponding to the Internet of things number; the user signaling comprises a source address IP, a destination address IP, a port number and a protocol type;
s12, processing the user signaling by adopting a DPI technology to obtain the XDR ticket data of the user of the Internet of things.
Specifically, in this embodiment, an internet of things number user signaling is collected, information included in the signaling, such as a source address IP, a destination address IP, a port number, a protocol type, and the like, is decoded, extracted, and identified by using a DPI technology, so as to form an internet of things user XDR ticket data.
S2, extracting the Internet of things card characteristics from the XDR ticket data;
the characteristics of the Internet of things card comprise an Internet of things number, an international mobile equipment identification code, a protocol, a source address IP, a source address port, a target address IP, a target address port, a network access point name, a uniform resource locator, an incoming connection and a user agent.
Among them, ip (internet protocol): an internetworking protocol;
Imei (international Mobile Equipment identity): an international mobile equipment identity;
apn (access Point name): a network access point name;
URL (Uniform Resource locator): a uniform resource locator;
REFERURI: connecting an incoming path;
usergent: a user agent.
S3, identifying the Internet of things card service and the Internet of things card terminal according to the characteristics of the Internet of things card;
step S3 of the present embodiment includes S31-S33;
s31, for each data flow in the XDR ticket data: matching the characteristics of the Internet of things card with a service identification rule in a pre-established DPI service identification characteristic library to generate an identification result of the Internet of things card service;
the identification result of the Internet of things network card service comprises a service classification, a service name, a service action and a company affiliation;
specifically, in the embodiment, based on seven dimensions of a protocol type, an IP + port, an APN, a number segment, a URL, a referri, and a Useragent, matching is performed with a service identification rule in a pre-established DPI service identification feature library, each flow in an XDR ticket is identified, and the identification precision can reach a service action level. Each flow generates four granularity of recognition results. The recognition results are shown in table 1.
TABLE 1
As shown in table 1, the service identified in this embodiment is classified as "internet of things-power", the service name is "guangdong power meter reading", the service action is "meter reading", and the developer/company is attributed to "guangdong power limited company".
S32, matching the characteristics of the Internet of things card with a regular expression in a pre-established terminal characteristic library, and extracting the model of the mobile terminal;
and S33, identifying the model of the terminal equipment according to the model of the mobile terminal.
Specifically, in this embodiment, based on three dimensions of IMEI, URL, and usergent, a regular expression in a pre-established terminal feature library is used to match usergent field and URL field in a ticket, to extract a mobile terminal model included in an Http header, and a network crawler is used to crawl the terminal model through IMEI, to identify a terminal device model corresponding to an internet of things number, where the identification result is shown in table 2:
TABLE 2
| Serial number | Field(s) |
| 1 | Number (I) |
| 2 | URL identifies device type |
| 3 | URL identifies device brand |
| 4 | URL identifies device model |
| 5 | Useragent identifies device type |
| 6 | Useragent identification equipment brand |
| 7 | Useragent identification equipment model |
| 8 | IMEI identifies device type |
| 9 | IMEI identifies equipment brand |
| 10 | IMEI recognition equipment model |
S4, acquiring an Internet of things number flow characteristic set according to the identified Internet of things network card terminal;
Specifically, step S4 in this embodiment is specifically: according to the Internet of things card terminal, counting flow characteristics corresponding to the number generating the business flow of the Internet of things;
the traffic characteristics comprise internet of things traffic, non-internet of things traffic, internet of things traffic proportion, non-internet of things traffic proportion, internet of things traffic number, non-internet of things traffic number, internet of things traffic usage days, non-internet of things traffic usage days, 2/3G total traffic and 4G total traffic.
And S5, identifying abnormal behaviors of the Internet of things number according to the Internet of things number flow characteristic set.
In this embodiment, based on the service identification result of the internet of things output in the previous step, the number-related network behavior feature of the service traffic of the internet of things is generated by taking a month as a granularity statistic, and an internet of things number traffic feature set is generated, where the collected traffic features are shown in table 3:
TABLE 3
Step S5 of the present embodiment includes S51-S53:
s51, inputting the flow characteristics into a pre-trained self-encoder;
s52, calculating the reconstruction error of the flow characteristic of each Internet of things number through the automatic encoder;
step S52 of the present embodiment includes S521-S523:
s521, calculating an output result of the encoder according to the input flow characteristics;
S522, calculating an output result of a decoder according to the output result of the encoder;
s523, calculating the Euclidean distance between the output result of the decoder and the input flow characteristic, and determining a reconstruction error.
And S53, when the reconstruction error is larger than a threshold value, determining that the corresponding Internet of things number is the Internet of things number suspected of abnormal use behavior.
In this embodiment, the internet of things number flow feature set is input into a pre-trained self-encoder, a reconstruction error of each internet of things number data feature is calculated, and when the reconstruction error of the number is greater than a threshold value, the number is a suspected abnormal usage behavior internet of things number.
The network structure of the auto-encoder includes an input layer, a hidden layer, and an output layer. Wherein, the encoder has an implicit layer h inside, which can generate codes to represent the input. The network can be seen as being composed of two parts: one encoder h ═ f (x) and one decoder r ═ g (h) that generates the reconstruction. Finally, input x is made approximately equal to reconstructed output g (f (x)). The self-encoder reconstruction error established by the scheme is the Euclidean distance between the output g (f (x)) and the input x.
The pre-training self-encoder is established by training using a full Internet of things number historical flow characteristic data set, the abnormal Internet of things number is low in the full network occupation ratio, the normally used Internet of things number does not need to be screened, the full Internet of things number is directly used for training, based on the self-encoder algorithm characteristics, the established network tends to fit the data characteristics of the most normal Internet of things number, and therefore the number data with the reconstruction error larger than the threshold value calculated by the model is the abnormal data.
The model may identify internet of things numbers with abnormal behavior including, but not limited to, the following types:
1) and terminal abnormity: the IMEI reported by the Internet of things number is a common mobile phone, such as Apple, Hua Ye and the like;
2) flow business behavior abnormity: the internet of things number generates a large amount of non-internet of things service traffic such as WeChat, Taobao and the like.
In conclusion, the self-encoder algorithm commonly used for data dimension reduction or feature extraction is used for detecting the abnormal use behavior of the number of the internet of things, a data set does not need to be marked manually, and the training can be performed by directly utilizing full data, so that the data marking cost is effectively reduced, and the generalization performance and the identification accuracy of the model are improved;
in addition, the DPI service identification library and the equipment identification feature library are used for detecting the abnormal use behavior of the Internet of things number based on the Internet surfing service generated by the Internet of things card and the used equipment model, so that the model can identify the abnormal use of various types of Internet of things cards, and the model identification range is expanded.
The method combines a DPI technology, a crawler technology and a machine learning technology, realizes the identification of the abnormal use behavior of the Internet of things card based on the signaling data of the Internet of things card, does not need to manually set identification rules and label data, and overcomes the defects of high cost, and insufficient accuracy and coverage of the existing method. Therefore, the scheme has the following advantages:
1) The abnormal use behavior of the Internet of things card is identified by combining the flow service identification result and the equipment model identification result of the Internet of things card, the identification precision is high, and various abnormal use types can be identified;
2) the modeling is carried out based on the unsupervised self-encoder algorithm, the signaling data of the full Internet of things network card can be directly used, the manual data marking is not needed, the cost is effectively reduced, and the generalization performance of the model is improved.
According to the invention, DPI service identification is carried out on the signaling data of the Internet of things card, Internet access service of the Internet of things card and terminal information used in real time are identified, and then an abnormal behavior identification model of the Internet of things card is established, so that an abnormally used Internet of things number can be determined.
Corresponding to the method in fig. 1, an embodiment of the present invention further provides a system for identifying an abnormal behavior of an internet of things card, including:
the acquisition module is used for acquiring XDR ticket data;
the Internet of things card feature extraction module is used for extracting Internet of things card features from the XDR ticket data;
the business identification module is used for identifying the Internet of things network card business and the Internet of things network card terminal according to the characteristics of the Internet of things network card;
the flow characteristic acquisition module is used for acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal;
And the abnormality identification module is used for identifying the abnormal behavior of the Internet of things number according to the Internet of things number flow characteristic set.
Corresponding to the method of fig. 1, an embodiment of the present invention further provides an apparatus, including a processor and a memory;
the memory is used for storing programs;
the processor is configured to perform the method of fig. 1 in accordance with the program.
Corresponding to the method in fig. 1, the embodiment of the invention further provides a storage medium, which stores a program, and the program is executed by a processor to complete the method in fig. 1.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise stated to the contrary, one or more of the described functions and/or features may be integrated in a single physical device and/or software module, or one or more functions and/or features may be implemented in a separate physical device or software module. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer, given the nature, function, and internal relationship of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. An identification method for abnormal behaviors of an Internet of things card is characterized by comprising the following steps:
obtaining XDR ticket data;
extracting the characteristics of the Internet of things card from the XDR ticket data;
identifying the Internet of things card service and the Internet of things card terminal according to the characteristics of the Internet of things card;
acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal;
and identifying the abnormal behavior of the number of the Internet of things according to the number traffic characteristic set of the Internet of things.
2. The method for identifying the abnormal behavior of the internet of things card according to claim 1, wherein the step of acquiring XDR ticket data comprises the following steps:
Acquiring a user signaling corresponding to an Internet of things number; the user signaling comprises a source address IP, a destination address IP, a port number and a protocol type;
and processing the user signaling by adopting a DPI technology to obtain XDR ticket data of the user of the Internet of things.
3. The method for identifying the abnormal behavior of the internet of things card according to claim 1, wherein in the step of extracting the characteristics of the internet of things card from the XDR ticket data, the characteristics of the internet of things card comprise an internet of things number, an international mobile equipment identity, a protocol, a source address IP, a source address port, a target address IP, a target address port, a network access point name, a uniform resource locator, an incoming connection and a user agent.
4. The method for identifying the abnormal behavior of the internet of things card according to claim 1, wherein the identifying the business of the internet of things card and the terminal of the internet of things card according to the characteristics of the internet of things card comprises the following steps:
for each data flow in the XDR ticket data: matching the characteristics of the Internet of things card with a service identification rule in a pre-established DPI service identification characteristic library to generate an identification result of the Internet of things card service;
the identification result of the Internet of things network card service comprises a service classification, a service name, a service action and a company affiliation;
Matching the characteristics of the Internet of things card with a regular expression in a pre-established terminal characteristic library, and extracting the model of the mobile terminal;
and identifying the model of the terminal equipment according to the model of the mobile terminal.
5. The method for identifying the abnormal behavior of the internet of things card according to claim 1, wherein the step of acquiring the internet of things number flow characteristic set according to the identified internet of things card terminal comprises the following steps:
according to the Internet of things card terminal, counting flow characteristics corresponding to the number generating the business flow of the Internet of things;
the traffic characteristics comprise internet of things traffic, non-internet of things traffic, internet of things traffic proportion, non-internet of things traffic proportion, internet of things traffic number, non-internet of things traffic number, internet of things traffic usage days, non-internet of things traffic usage days, 2/3G total traffic and 4G total traffic.
6. The method for identifying the abnormal behavior of the internet of things card according to claim 5, wherein the identifying the abnormal behavior of the internet of things number according to the internet of things number traffic feature set comprises the following steps:
inputting the flow characteristics into a pre-trained self-encoder;
calculating a reconstruction error of the flow characteristic of each Internet of things number through the automatic encoder;
And when the reconstruction error is larger than a threshold value, determining that the corresponding Internet of things number is the Internet of things number suspected of abnormal use behavior.
7. The method for identifying the abnormal behavior of the internet of things card according to claim 6, wherein the calculating the reconstruction error of the traffic characteristic of each internet of things number by the automatic encoder comprises:
calculating an output result of the encoder according to the input flow characteristics;
calculating an output result of the decoder according to an output result of the encoder;
and calculating the Euclidean distance between the output result of the decoder and the input flow characteristic, and determining a reconstruction error.
8. An abnormal behavior identification system of an internet of things card is characterized by comprising:
the acquisition module is used for acquiring XDR ticket data;
the Internet of things card feature extraction module is used for extracting Internet of things card features from the XDR ticket data;
the business identification module is used for identifying the Internet of things network card business and the Internet of things network card terminal according to the characteristics of the Internet of things network card;
the flow characteristic acquisition module is used for acquiring an internet of things number flow characteristic set according to the identified internet of things network card terminal; and the abnormality identification module is used for identifying the abnormal behavior of the Internet of things number according to the Internet of things number flow characteristic set.
9. An apparatus comprising a processor and a memory;
the memory is used for storing programs;
the processor is configured to perform the method according to the program as claimed in any one of claims 1-7.
10. A storage medium, characterized in that the storage medium stores a program, which is executed by a processor to perform the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010579518.0A CN111865923A (en) | 2020-06-23 | 2020-06-23 | Method, system, device and medium for identifying abnormal behavior of Internet of things card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010579518.0A CN111865923A (en) | 2020-06-23 | 2020-06-23 | Method, system, device and medium for identifying abnormal behavior of Internet of things card |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111865923A true CN111865923A (en) | 2020-10-30 |
Family
ID=72989915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010579518.0A Pending CN111865923A (en) | 2020-06-23 | 2020-06-23 | Method, system, device and medium for identifying abnormal behavior of Internet of things card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865923A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468331A (en) * | 2020-11-13 | 2021-03-09 | 中盈优创资讯科技有限公司 | Method and device for diagnosing abnormal NB card based on MME log |
| CN113364739A (en) * | 2021-05-13 | 2021-09-07 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110769449A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Method and device for analyzing network connection state of terminal of Internet of things |
| CN110830986A (en) * | 2019-11-13 | 2020-02-21 | 国家计算机网络与信息安全管理中心上海分中心 | Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card |
| CN111030876A (en) * | 2019-12-25 | 2020-04-17 | 武汉绿色网络信息服务有限责任公司 | NB-IoT terminal fault positioning method and device based on DPI |
| CN111092893A (en) * | 2019-12-22 | 2020-05-01 | 上海唐盛信息科技有限公司 | Network security protection method based on XDR ticket data |
| US20200195669A1 (en) * | 2018-12-13 | 2020-06-18 | At&T Intellectual Property I, L.P. | Multi-tiered server architecture to mitigate malicious traffic |
-
2020
- 2020-06-23 CN CN202010579518.0A patent/CN111865923A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110769449A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Method and device for analyzing network connection state of terminal of Internet of things |
| US20200195669A1 (en) * | 2018-12-13 | 2020-06-18 | At&T Intellectual Property I, L.P. | Multi-tiered server architecture to mitigate malicious traffic |
| CN110830986A (en) * | 2019-11-13 | 2020-02-21 | 国家计算机网络与信息安全管理中心上海分中心 | Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card |
| CN111092893A (en) * | 2019-12-22 | 2020-05-01 | 上海唐盛信息科技有限公司 | Network security protection method based on XDR ticket data |
| CN111030876A (en) * | 2019-12-25 | 2020-04-17 | 武汉绿色网络信息服务有限责任公司 | NB-IoT terminal fault positioning method and device based on DPI |
Non-Patent Citations (1)
| Title |
|---|
| 孙旭日 等: "结合二次特征提取和LSTM-Autoencoder的网络流量异常检测方法", 《北京交通大学学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468331A (en) * | 2020-11-13 | 2021-03-09 | 中盈优创资讯科技有限公司 | Method and device for diagnosing abnormal NB card based on MME log |
| CN113364739A (en) * | 2021-05-13 | 2021-09-07 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
| CN113364739B (en) * | 2021-05-13 | 2022-05-13 | 北京亚鸿世纪科技发展有限公司 | Method and system for identifying abnormal flow of Internet of things equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778241B (en) | Malicious file identification method and device | |
| CN106294105B (en) | Brushing amount tool detection method and device | |
| CN111030992B (en) | Detection method, server and computer readable storage medium | |
| CN111865923A (en) | Method, system, device and medium for identifying abnormal behavior of Internet of things card | |
| CN109034583A (en) | Abnormal transaction identification method, apparatus and electronic equipment | |
| CN109543408B (en) | Malicious software identification method and system | |
| CN113381963B (en) | Domain name detection method, device and storage medium | |
| CN107911397B (en) | Threat assessment method and device | |
| CN106960153B (en) | Virus type identification method and device | |
| CN112087744A (en) | Method, system, device and storage medium for identifying terminal model | |
| CN106301979B (en) | Method and system for detecting abnormal channel | |
| CN112801155A (en) | Business big data analysis method based on artificial intelligence and server | |
| CN116610962A (en) | Content auditing method and device, electronic equipment and storage medium | |
| CN111476375A (en) | Method and device for determining recognition model, electronic equipment and storage medium | |
| CN115035347A (en) | Picture identification method and device and electronic equipment | |
| CN108596271B (en) | Evaluation method and device of fingerprint construction algorithm, storage medium and terminal | |
| CN113010785A (en) | User recommendation method and device | |
| CN112199388A (en) | Strange call identification method and device, electronic equipment and storage medium | |
| CN111611388A (en) | Account classification method, device and equipment | |
| CN111353109A (en) | Malicious domain name identification method and system | |
| CN113220553B (en) | Method and device for evaluating performance of text prediction model | |
| CN113742730B (en) | Malicious code detection method, system and computer readable storage medium | |
| CN112468444B (en) | Internet domain name abuse identification method and device, electronic equipment and storage medium | |
| CN109993181B (en) | Abnormal behavior pattern recognition method, device, equipment and medium | |
| CN108154177B (en) | Service identification method, device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201030 |