CN115038088B - Intelligent network security detection early warning system and method - Google Patents

Intelligent network security detection early warning system and method Download PDF

Info

Publication number
CN115038088B
CN115038088B CN202210955318.XA CN202210955318A CN115038088B CN 115038088 B CN115038088 B CN 115038088B CN 202210955318 A CN202210955318 A CN 202210955318A CN 115038088 B CN115038088 B CN 115038088B
Authority
CN
China
Prior art keywords
data
abnormal
node
internet
things
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210955318.XA
Other languages
Chinese (zh)
Other versions
CN115038088A (en
Inventor
顾建龙
周荣建
赵磊
柏晓雷
尤为刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lanswon Technologies Co ltd
Original Assignee
Lanswon Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lanswon Technologies Co ltd filed Critical Lanswon Technologies Co ltd
Priority to CN202210955318.XA priority Critical patent/CN115038088B/en
Publication of CN115038088A publication Critical patent/CN115038088A/en
Application granted granted Critical
Publication of CN115038088B publication Critical patent/CN115038088B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • H04L41/0609Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an intelligent network safety detection early warning system and method, wherein the system and method comprise the following steps: the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment for processing and abnormal analysis, processed abnormal information data or abnormal indication information is reported to a next node or an edge server, the edge server receives the abnormal information data or abnormal indication information reported by all nodes, calculates whether the abnormal entropy of the current system exceeds a threshold value or not based on the abnormal information data reported by all nodes, if yes, continues to determine the abnormal level of the system, and reports the abnormal level of the system to an early warning background. According to the invention, the node equipment of the Internet of things uploads the processed data to the server after being judged based on the built-in network abnormity judgment model, so that the network transmission pressure is reduced, the edge server analyzes the abnormal data reported by all nodes in the system, the network security level of the system is obtained, and reliable early warning triggering is realized.

Description

Intelligent network security detection early warning system and method
Technical Field
The invention belongs to the technical field of computer internet of things, and particularly relates to an intelligent network security detection early warning system and method.
Background
With the increase of the number of accessible devices supported by the 5G technology, large-scale Internet of things devices are accessed into the 5G network for data transmission, and network security problems of the large-scale accessed Internet of things devices need to be solved, including network security faults caused by illegal access and traffic overload in the Internet of things. Meanwhile, as the amount of data transmitted by the network increases, calculation based on the server generally results in too high load on the server, and too high transmission pressure of the mobile network, which results in that the potential safety hazard of the network cannot be reported in time, and further serious consequences are caused.
The processing capacity of the artificial intelligence algorithm chip is continuously enhanced, and the local artificial intelligence algorithm analysis and calculation can be supported.
Therefore, based on the characteristics of the upgrading and application scenarios of the existing network and equipment, an intelligent network security early warning system with low delay, high reliability and high system resource utilization rate is needed.
Disclosure of Invention
In view of the above-mentioned defects in the prior art, the present invention provides an intelligent network security detection and early warning system, which comprises:
the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other node equipment, reports the processed collected data information and the processed data received from other node equipment to a next node or an edge server as abnormal information data when the analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal;
the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or abnormal indication information reported by all nodes, if so, the edge server determines the abnormal level of the system and reports the abnormal level of the system to an early warning background;
the early warning background carries out early warning according to the received abnormal grade of the system;
the method comprises the steps that the node equipment of the Internet of things carries out anomaly analysis on collected data and data received from other node equipment, and a network anomaly judgment model is built in the node equipment of the Internet of things to carry out anomaly analysis on the collected data and the data received from other node equipment;
the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal level of the system is judged, and the method comprises the following steps:
step one, the edge server calculates the abnormal entropy S of a single node node
Figure GDA0003863918760000021
Wherein S is nodej Reporting the abnormal entropy of the jth internet-of-things node device of network abnormal information in a period to an edge server, wherein s is the hop count of a single node from the edge server, n is the number of data streams received from all other nodes in the period, M is the number of data packets contained in the data streams, L is the size of the data packets, and FL is the value of the data packets max In a period of time allocated to receive data from other node devices in a single cycle, the jth Internet of things node device can receive the maximum data volume, U is the number of other node devices receiving data uploaded by other node devices, O is the actual size of the data volume allocated to the period of time for acquiring data in the single cycle, and O is the actual size of the data volume allocated to the period of time for acquiring data by the jth Internet of things node device norm The normal size R of the data volume which can be acquired by the jth node device of the Internet of things in a single cycle and is allocated to the time period for acquiring data ik Number of unmatched address pairs of network layer address and data link layer address, R, found for detection of transmitted data of kth other node device pk Number of unmatched network layer addresses and port numbers, R, for detection of transmitted data of the kth other node device sk For the devices of the kth other nodeSending data to detect the number of unmatched data link layer addresses and port numbers;
step two, the edge server calculates the abnormal entropy S of the current system A
Figure GDA0003863918760000031
Wherein, w is the quantity of abnormal information reported by the node equipment and received by the edge server;
step three, the edge server judges the abnormal entropy S of the current system A Whether greater than a threshold;
step four, when S A -threshold > 0, said edge server computing MK = S A -threshold;
And step five, comparing the MK with the abnormal grade interval to determine the current abnormal grade of the system.
The node equipment of the internet of things periodically collects data and receives information transmitted by other node equipment, wherein the data is collected in a first time period in a single period, and the information transmitted by other node equipment is received in other time periods except the first time period in the single period.
The node equipment of the internet of things processes the acquired data and the data received from other node equipment, and the following parameter information is obtained:
the number n of data streams received from all other nodes in a cycle of the node device of the internet of things, the number M of data packets contained in the data streams, the size L of the data packets, and the maximum data amount FL receivable by the jth node device of the internet of things in a period allocated to receiving data from other node devices in a single cycle max The jth internet of things node device receives the number U of other node devices uploading data, the actual size O of the data volume which can be acquired by the jth internet of things node device in the time period which is allocated to the data acquisition in the single cycle, and the normal size O of the data volume which can be acquired by the jth internet of things node device in the time period which is allocated to the data acquisition in the single cycle norm To, forNumber R of mismatching pairs of network layer addresses and data link layer addresses detected and discovered by sending data of kth other node equipment ik The number R of mismatching network layer addresses and port numbers detected and found by detecting the transmission data of the kth other node device pk The number R of mismatching data link layer addresses and port numbers detected by the detection of the transmission data of the kth other node device sk
The method comprises the steps that the node equipment of the Internet of things conducts abnormity analysis on collected data and data received from other node equipment, the node equipment of the Internet of things conducts abnormity analysis on the collected data and the data received from other node equipment according to a built-in network abnormity judgment model, the network abnormity judgment model is obtained by training according to historical network data of each equipment at least comprising the system, the historical network data are respectively stored according to the data collected and received in each equipment historical period, and the historical network data are used as input data of a KNN model to conduct training to obtain a network abnormity judgment model of a single equipment.
The network anomaly judgment model comprises two KNN models, wherein the two KNN models respectively correspond to a first time interval KNN model used for acquiring data in a single cycle and a first time interval KNN model used for receiving information transmitted by other node equipment in the single cycle, and the first time interval KNN model and the second time interval KNN model are combined to judge the anomaly.
Wherein the threshold value threshold is a mean value B of system abnormal entropy according to system network abnormality occurring in system historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 And (4) setting.
Wherein the threshold value is set to be threshold = w 1 B 1 +w 2 B 2 Wherein w is 1 And w 2 Mean value B of system anomaly entropy for system network anomaly occurring in system historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 Corresponding weight, w 1 And w 2 Satisfies the quantitative relation of w 1 +w 2 =1。
The invention also provides a network security detection early warning method based on the system, which comprises the following steps:
the method comprises the steps that the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes abnormity of the collected data and the data received from other node equipment, when an analysis result is abnormal, the processed collected data information and the processed data received from other node equipment are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
The node equipment of the internet of things periodically collects data and receives information transmitted by other node equipment, wherein the data is collected in a first time period in the period, and the information transmitted by other node equipment is received in other time periods except the first time period in the period.
When the node equipment of the Internet of things transmits data to another node equipment of the Internet of things, the data transmission is carried out on the time-frequency resources distributed to the equipment in advance by the access network.
In the invention, after the node equipment of the Internet of things judges the abnormal condition based on the built-in network abnormality judgment model, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all the nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
fig. 1 is a schematic diagram illustrating a method for intelligent network security early warning according to an embodiment of the present invention.
Fig. 2 is a diagram illustrating calculation of abnormal entropy according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the description of the invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "the plural" typically includes at least two.
It should be understood that, although the terms first, second, third, etc. may be used in the embodiments of the present invention to describe \8230; \8230, these terms are not intended to be limiting for 8230; etc. These terms are used only to distinguish between 8230; and vice versa. For example, without departing from the scope of embodiments of the present invention, a first of the methods may be used as a first of the methods for manufacturing a semiconductor device, and the method may be used as a second of the methods for manufacturing a semiconductor device, wherein the first of the methods may be used as a second of the methods for manufacturing a semiconductor device, and the second of the methods may be used as a second of the methods for manufacturing a semiconductor device.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The words "if", as used herein, may be interpreted as "at \8230; \8230when" or "when 8230; \823030, when" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrases "comprising one of \8230;" does not exclude the presence of additional like elements in an article or device comprising the element.
An alternative embodiment of the present invention is described in detail below with reference to the drawings.
The first embodiment,
As shown in fig. 1, the invention discloses a network security detection early warning method based on the above system, the method comprising:
the method comprises the steps that the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes abnormity of the collected data and the data received from other node equipment, when an analysis result is abnormal, the processed collected data information and the processed data received from other node equipment are used as abnormal information data to be reported to a next node or an edge server, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server.
After the edge server receives the abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal level of the system is determined, and the abnormal level of the system is reported to an early warning background.
And the early warning background carries out early warning according to the received abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the generative model training and determination, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period in the cycle and receiving information transmitted by other node devices in other time periods except the first time period in the cycle, where the length and position of the first time period in each cycle are fixed.
Optionally, when the node device of the internet of things transmits data to another node device of the internet of things, the access network performs data transmission on the allocated time-frequency resources for the devices in advance, the transmission mode may be data transmission on a measurement link SL established through D2D, the measurement link SL may be configured by the access device, and the transmission period may be negotiated in advance between the devices or may be allocated to each device by the base station in advance.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
Example II,
The invention discloses an intelligent network safety early warning system, which comprises the following network units and corresponding functions:
the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other node equipment, reports the processed collected data information and the processed data received from other node equipment to a next node or an edge server as abnormal information data when an analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal.
And after the edge server receives the abnormal information data or abnormal indication information reported by all the nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all the nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to the early warning background.
And the early warning background carries out early warning according to the received abnormal grade of the system.
The method comprises the steps that a network abnormity judgment model is built in the node equipment of the Internet of things to carry out abnormity analysis on the collected data and the data received from other node equipment.
As shown in fig. 2, after calculating that the abnormal entropy of the current system exceeds the threshold, the edge server determines the abnormal level of the system, including the following steps:
step one, the edge server calculates the abnormal entropy S of a single node node
Figure GDA0003863918760000101
Wherein S is nodej Reporting the abnormal entropy of the jth node equipment of the Internet of things of network abnormal information in a period to an edge server, wherein s is the hop count of the single node from the edge server, and n is the hop count of all other nodes in the periodWhere the number of received data streams, M is the number of data packets contained in said data stream, L is the size of said data packets, FL max In a period of time allocated to receive data from other node devices in a single cycle, the jth internet-of-things node device can receive the maximum data volume, U is the number of other node devices receiving data uploaded by other node devices, O is the actual size of the data volume allocated to the period of time for acquiring data in the single cycle, and O is the actual size of the data volume allocated to the period of time for acquiring data by the jth internet-of-things node device norm The normal size R of the data volume which can be acquired by the jth node device of the Internet of things in a single cycle and is allocated to the time period for acquiring data ik Number of unmatched address pairs of network layer address and data link layer address, R, found for detection of transmitted data of kth other node device pk Number of unmatched network layer addresses and port numbers, R, for detection of transmitted data of the kth other node device sk The number of unmatched data link layer addresses and port numbers for detecting and discovering the sending data of the kth other node device is obtained;
step two, the edge server calculates the abnormal entropy S of the current system A
Figure GDA0003863918760000111
Wherein, w is the quantity of abnormal information reported by the node equipment and received by the edge server;
step three, the edge server judges the abnormal entropy S of the current system A Whether greater than a threshold;
step four, when S A -threshold > 0, said edge server computing MK = S A -threshold;
And step five, comparing the MK with the abnormal grade interval to determine the current abnormal grade of the system.
Optionally, in order to facilitate unifying the data structure of the generative model training and determination, the node device of the internet of things periodically collects data and receives information transmitted by other node devices, including collecting data in a first time period in a single cycle and receiving information transmitted by other node devices in other time periods except the first time period in the single cycle.
The node equipment of the internet of things processes the acquired data and the data received from other node equipment, and the following parameter information is obtained:
the number n of data streams received from all other nodes in a cycle of the node device of the internet of things, the number M of data packets contained in the data streams, the size L of the data packets, and the maximum data amount FL receivable by the jth node device of the internet of things in a period allocated to receiving data from other node devices in a single cycle max The jth internet of things node device receives the number U of other node devices uploading data, the actual size O of the data volume which can be acquired by the jth internet of things node device in the time period allocated to the data acquisition in the single period, and the normal size O of the data volume which can be acquired by the jth internet of things node device in the time period allocated to the data acquisition in the single period norm The number R of unmatched address pairs of the network layer address and the data link layer address for detecting and discovering the sending data of the kth other node equipment ik The number R of unmatched network layer addresses and port numbers for detecting and discovering the sending data of the kth other node equipment pk The number R of unmatched data link layer addresses and port numbers for detecting the transmitted data of the kth other node device sk
And the node equipment of the Internet of things directly or indirectly sends the processed data to the edge server, and after the edge server receives all data abnormal or abnormal indication, the edge server calculates the abnormal entropy of the system according to a system abnormal entropy calculation method and compares the abnormal entropy with a threshold value to determine the abnormal level.
In a certain embodiment, the abnormal analysis of the collected data and the data received from other node devices by the node device of the internet of things includes that the abnormal analysis of the collected data and the data received from other node devices is performed by the node device of the internet of things according to a built-in network abnormal judgment model, the network abnormal judgment model is obtained by training historical network data of each device at least including the system, the historical network data is respectively stored according to the data collected and received in the historical period of each device, and the historical network data is used as input data of a KNN model to be trained to obtain a network abnormal judgment model of a single device.
In a certain embodiment, the network anomaly determination model includes two KNN models, each of which corresponds to a first time period for acquiring data in a single cycle and a first time period for receiving information transmitted by other node devices in the single cycle, and the two KNN models are used in combination to determine an anomaly.
In one embodiment, the threshold is a mean B of system anomaly entropy according to system network anomalies occurring in system historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 And (4) setting.
In one embodiment, the threshold is set to a value of threshold = w 1 B 1 +w 2 B 2 Wherein w is 1 And w 2 Mean value B of system anomaly entropy for system network anomaly in system historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 Corresponding weight, w 1 And w 2 Satisfies the quantitative relation of w 1 +w 2 =1. For example, w may be 1 And w 2 Set to 0.6 and 0.4, respectively. The network manager can set different weights according to different management areas of the edge server to meet different requirements of different systems on the safety requirements.
In one embodiment, the anomaly level interval may be determined according to the historical system anomaly entropy for which the level has been determined.
The disclosed embodiments provide a plurality of network elements including a communication node, a server, and a background, where each network element includes a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions that may perform the method steps described in the above embodiments.
In the invention, after the node equipment of the Internet of things judges the abnormal condition, the processed data is uploaded to the server, so that the load pressure of network transmission is reduced, the network delay is reduced, and the number of the node equipment of the Internet of things which can be accessed is increased.
In the invention, the edge server analyzes the abnormal data reported by all the nodes in the system to obtain the overall network security level of the system, and reliable early warning triggering is realized through dual abnormal analysis of the nodes and the server.
It should be noted that the computer readable medium of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local Area Network (AN) or a Wide Area Network (WAN), or the connection may be made to AN external computer (for example, through the internet using AN internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The foregoing describes preferred embodiments of the present invention, and is intended to provide a clear and concise description of the spirit and scope of the invention, and not to limit the same, but to include all modifications, substitutions, and alterations falling within the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. An intelligent network security detection early warning system, the system comprising:
the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, processes and analyzes the collected data and the data received from other node equipment, reports the processed collected data information and the processed data received from other node equipment to a next node or an edge server as abnormal information data when the analysis result is abnormal, and reports abnormal indication information to the next node or the edge server when the analysis result is abnormal;
the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by each node after receiving the abnormal information data or the abnormal indication information, if so, the edge server determines the abnormal grade of the system and reports the abnormal grade of the system to the early warning background;
the early warning background carries out early warning according to the received abnormal grade of the system;
the node equipment of the Internet of things performs anomaly analysis on the acquired data and the data received from other node equipment, and the anomaly analysis includes that a network anomaly judgment model is built in the node equipment of the Internet of things to perform anomaly analysis on the acquired data and the data received from other node equipment;
the method comprises the following steps that after the edge server calculates that the abnormal entropy of the current system exceeds a threshold value, the abnormal grade of the system is judged, and the method comprises the following steps:
step one, the edge server calculates the abnormal entropy S of a single node node
Figure FDA0003863918750000011
Wherein S is nodej Reporting the abnormal entropy of the jth internet-of-things node device of network abnormal information in a period to an edge server, wherein s is the hop count of a single node from the edge server, n is the number of data streams received from all other nodes in the period, M is the number of data packets contained in the data streams, L is the size of the data packets, and FL is the value of the data packets max In a period of time allocated to receive data from other node devices in a single cycle, the jth Internet of things node device can receive the maximum data volume, U is the number of other node devices receiving data uploaded by other node devices, O is the actual size of the data volume allocated to the period of time for acquiring data in the single cycle, and O is the actual size of the data volume allocated to the period of time for acquiring data by the jth Internet of things node device norm The normal size R of the data volume which can be acquired by the jth node device of the Internet of things in a single cycle and is allocated to the time period for acquiring data ik Number of unmatched address pairs of network layer address and data link layer address, R, found for detection of transmitted data of kth other node device pk Number of unmatched network layer addresses and port numbers, R, for detection of transmitted data of kth other node device sk For detecting and discovering transmitted data of kth other node equipmentThe number of unmatched data link layer addresses and port numbers;
step two, the edge server calculates the abnormal entropy S of the current system A
Figure FDA0003863918750000021
Wherein, w is the quantity of abnormal information reported by the node equipment and received by the edge server;
step three, the edge server judges the abnormal entropy S of the current system A Whether it is greater than a threshold;
step four, when S A -threshold > 0, said edge server computing MK = S A -threshold;
And step five, comparing the MK with the abnormal grade interval to determine the current abnormal grade of the system.
2. The intelligent network security detection and early warning system as claimed in claim 1, wherein the node devices of the internet of things periodically collect data and receive information transmitted by other node devices, including collecting data in a first time period of a single period and receiving information transmitted by other node devices in other time periods except the first time period of the single period.
3. The intelligent network security detection and early warning system of claim 1, wherein the node device of the internet of things processes the collected data and the data received from other node devices, including obtaining the following parameter information:
the number n of data streams received from all other nodes in a cycle of the node device of the internet of things, the number M of data packets contained in the data streams, the size L of the data packets, and the maximum data amount FL receivable by the jth node device of the internet of things in a period allocated to receiving data from other node devices in a single cycle max The jth node device of the internet of things receives the number U of other node devices uploading data, and the jth node device of the internet of things is distributed in a single periodGiving the actual size O of the data volume which can be acquired in the period for acquiring data, the normal size O of the data volume which can be acquired in the period for acquiring data and the j-th node device of the internet of things in a single cycle norm The number R of unmatched address pairs of the network layer address and the data link layer address for detecting and discovering the sending data of the kth other node equipment ik The number R of unmatched network layer addresses and port numbers for detecting and discovering the sending data of the kth other node equipment pk The number R of mismatching data link layer addresses and port numbers detected by the detection of the transmission data of the kth other node device sk
4. The intelligent network security detection and early warning system as claimed in claim 1, wherein the abnormality analysis of the collected data and the data received from other node devices by the node devices of the internet of things includes performing abnormality analysis of the collected data and the data received from other node devices by the node devices of the internet of things according to a built-in network abnormality judgment model, the network abnormality judgment model is trained according to historical network data of at least each device of the system, the historical network data is stored according to data collected and received in each device historical period, and the historical network data is trained as input data of a KNN model to obtain a network abnormality judgment model of a single device.
5. The intelligent network security detection and early warning system of claim 1, wherein the network anomaly judgment model comprises two KNN models, namely a KNN model corresponding to a first time interval for collecting data in a single cycle and a KNN model corresponding to a second time interval for receiving information transmitted by other node equipment in the single cycle, and the abnormal conditions are judged by combining the two KNN models.
6. The intelligent network security detection and early warning system of claim 1, wherein the threshold is based on the systemMean value B of system anomaly entropy of system network anomaly occurring in historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 And (4) setting.
7. The intelligent network security detection and early warning system of claim 6, wherein the threshold value threshold is set to be threshold = w 1 B 1 +w 2 B 2 Wherein w is 1 And w 2 Mean value B of system anomaly entropy for system network anomaly occurring in system historical data 1 And the mean value B of the system abnormal entropy without system network abnormality in the system historical data 2 Corresponding weight, w 1 And w 2 Satisfies the quantitative relation of w 1 +w 2 =1。
8. A network security detection and early-warning method based on the intelligent security detection and early-warning system of any one of claims 1 to 7, the method comprising:
the method comprises the steps that the node equipment of the Internet of things periodically collects data and receives information transmitted by other node equipment, the node equipment of the Internet of things processes and analyzes abnormity of the collected data and the data received from other node equipment, when an analysis result is abnormal, the processed collected data information and the processed data received from other node equipment are reported to a next node or an edge server as abnormal information data, and when the analysis result is abnormal, abnormal indication information is reported to the next node or the edge server; after the edge server receives abnormal information data or abnormal indication information reported by all nodes, the edge server calculates whether the abnormal entropy of the current system exceeds a threshold value according to the abnormal information data reported by all nodes, if so, the abnormal grade of the system is determined, and the abnormal grade of the system is reported to an early warning background; and the early warning background carries out early warning according to the received abnormal grade of the system.
9. The network security detection and early warning method of claim 8, wherein the node device of the internet of things periodically collects data and receives information transmitted by other node devices, and the collecting of the data in the first time period of the period and the receiving of the information transmitted by other node devices in other time periods outside the first time period of the period.
10. The network security detection and early warning method of claim 8, wherein when the node device of the internet of things transmits data to another node device of the internet of things, the access network transmits data on the time-frequency resources allocated to the device pair in advance.
CN202210955318.XA 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method Active CN115038088B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210955318.XA CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210955318.XA CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Publications (2)

Publication Number Publication Date
CN115038088A CN115038088A (en) 2022-09-09
CN115038088B true CN115038088B (en) 2022-11-08

Family

ID=83130530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210955318.XA Active CN115038088B (en) 2022-08-10 2022-08-10 Intelligent network security detection early warning system and method

Country Status (1)

Country Link
CN (1) CN115038088B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695032B (en) * 2022-11-07 2023-05-30 广东网安科技有限公司 Network security detection system
CN116614319B (en) * 2023-07-20 2023-10-03 河北神玥软件科技股份有限公司 Network security control method based on big data and artificial intelligence

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104660464A (en) * 2015-01-22 2015-05-27 贵州电网公司信息通信分公司 Network anomaly detection method based on non-extensive entropy
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN112788066A (en) * 2021-02-26 2021-05-11 中南大学 Abnormal flow detection method and system for Internet of things equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100856924B1 (en) * 2007-03-08 2008-09-05 한국전자통신연구원 Method and apparatus for indicating network state
US9210181B1 (en) * 2014-05-26 2015-12-08 Solana Networks Inc. Detection of anomaly in network flow data
CN111935172B (en) * 2020-08-25 2023-09-05 广东一知安全科技有限公司 Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104660464A (en) * 2015-01-22 2015-05-27 贵州电网公司信息通信分公司 Network anomaly detection method based on non-extensive entropy
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN112788066A (en) * 2021-02-26 2021-05-11 中南大学 Abnormal flow detection method and system for Internet of things equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Gyro anomaly detection method based on information entropy;Guan Wu 等;《2021 Global Reliability and Prognostics and Health Management (PHM-Nanjing)》;20211017;正文第1-4页 *
工业物联网异常检测技术综述;孙海丽 等;《通信学报》;20220331;第43卷(第3期);正文第197-205页 *

Also Published As

Publication number Publication date
CN115038088A (en) 2022-09-09

Similar Documents

Publication Publication Date Title
CN115038088B (en) Intelligent network security detection early warning system and method
KR102418969B1 (en) System and method for predicting communication apparatuses failure based on deep learning
CN110166462B (en) Access control method, system, electronic device and computer storage medium
CN103220173B (en) A kind of alarm monitoring method and supervisory control system
US9015312B2 (en) Network management system and method for identifying and accessing quality of service issues within a communications network
JP6097889B2 (en) Monitoring system, monitoring device, and inspection device
KR100617310B1 (en) Apparatus for detecting abnormality of traffic in network and method thereof
CN112543465A (en) Abnormity detection method, abnormity detection device, terminal and storage medium
US20080186876A1 (en) Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
CN108601047B (en) Measurement method of opportunistic network key node
CN106034051A (en) Network monitoring data processing method and network monitoring data processing device
EP3460663A1 (en) Apparatus and method for rare failure prediction
US11381471B2 (en) System and method for predicting and handling short-term overflow
CN108964976A (en) A kind of alarm prompt method and warning instruction device based on optical module
CN106452941A (en) Network anomaly detection method and device
CN111200526A (en) Monitoring system and method of network equipment
CN114173370A (en) Fault positioning method, device, equipment and storage medium
US20170206125A1 (en) Monitoring system, monitoring device, and monitoring program
EP2899918A1 (en) Method, apparatus and system for detecting network element load imbalance
CN111654405B (en) Method, device, equipment and storage medium for fault node of communication link
CN114338351B (en) Network anomaly root cause determination method and device, computer equipment and storage medium
CN113835961B (en) Alarm information monitoring method, device, server and storage medium
CN109699041A (en) A kind of RRU channel failure diagnosis processing method and RRU device
TWI510109B (en) The recursive method of network traffic anomaly detection
CN116522213A (en) Service state level classification and classification model training method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant