CN103973697B - A kind of thing network sensing layer intrusion detection method - Google Patents
A kind of thing network sensing layer intrusion detection method Download PDFInfo
- Publication number
- CN103973697B CN103973697B CN201410211088.1A CN201410211088A CN103973697B CN 103973697 B CN103973697 B CN 103973697B CN 201410211088 A CN201410211088 A CN 201410211088A CN 103973697 B CN103973697 B CN 103973697B
- Authority
- CN
- China
- Prior art keywords
- data
- detection
- sensing layer
- site detection
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Alarm Systems (AREA)
Abstract
The invention discloses a kind of thing network sensing layer intrusion detection method, it is related to a kind of safety detection method of thing network sensing layer, it is more particularly to a kind of to be combined with abnormality detection technology by feature detection techniques and then judge detection method of the network with the presence or absence of intrusion behavior.It is that the rate of false alarm of prior art is high, rate of failing to report is high, the low problem of verification and measurement ratio is proposed in order to solve, the present invention adopts the method that feature detection techniques and abnormality detection technology combine to carry out the intrusion detection of thing network sensing layer, compared with prior art, have the advantages that rate of false alarm is low, rate of failing to report is low, verification and measurement ratio is high, promptness is good, it is adaptable to the intrusion detection of thing network sensing layer Deviant Behavior.
Description
Technical field
The present invention relates to Internet of Things security fields, more particularly to a kind of intrusion behavior detection method of thing network sensing layer,
Background technology
Internet of Things (Internet of Things, abbreviation IoTs) is the comprehensive letter to be perceived as the thing of core and thing interconnection
Breath system, is described as the third wave for being the information industry after computer, the Internet.Internet of Things is in the safety side of data
The requirement in face is very high, especially information Perception layer, if network is invaded, data Jing of illegal or malice
Sensing layer is flowed in Internet of Things, then can not only jeopardize perception layer data, but also entail dangers to the information transfer being attached thereto
Layer, and then unpredictable infringement is brought to whole global network.At the same time, due to the thing network sensing layer node spy of itself
Point reason, it is to be easy to be attacked by intrusion behavior to perceive node layer, therefore the Information Security to thing network sensing layer is adopted
It is considerable to take corresponding protective measure.
At present, stage of the thing network sensing layer intrusion detection also in starting, in order to ensure the safety for perceiving node layer, with
The security performance of whole network is improved, many intrusion detection solutions are had been proposed for so far.More with feature detection or different
Often based on detection, wherein, feature detection is that the feature to intrusion behavior makes deterministic description, forms corresponding rule and converges
Then the data message of collection and feature database are compared by one feature database of assembly, if matching, then indicate that the behavior is
One intrusion behavior.The detection is detected using statistical method under normal circumstances, and the threshold value in statistical method is effective
It is determined that being difficult, value is too little to produce substantial amounts of wrong report, and value is too big to produce substantial amounts of failing to report again.Feature detection can be accurate
Detect known intrusion behavior, but it is really helpless to new invasion.Abnormality detection is will to be set as in rule base
Normally performed activity is compared with detection behavior, thinks that this behavior is legal, think if mismatching if matching
This behavior is illegal.The detection method can detect new intrusion behavior, but also have higher false drop rate problem.
How two kinds of detection method advantages organically to be combined, while avoiding both shortcomings, be the weight of the present invention
Point.Combination of some scholars also to feature detection and abnormality detection technology is studied, but they are simple use mostly
Two kinds of detection methods, the realization of two kinds of detection techniques is detached.So inherently can not go to overcome two kinds of detection techniques
Defect, therefore, this paper presents a kind of new feature detection is combined detection scheme with abnormality detection, in the hope of overcoming two kinds of detection skills
The inherent shortcoming of art, makes system have higher verification and measurement ratio and relatively low rate of failing to report.
Meanwhile, thing network sensing layer intrusion detection program of today is more based on pre-test, that is to say, that most at present relevant
A framework being only to provide in the discussion of thing network sensing layer intrusion detection, not can determine that for specifically how to realize detecting.
The content of the invention
The deficiency of the prior art for more than, it is an object of the invention to provide a kind of rate of failing to report is low, verification and measurement ratio is high
Thing network sensing layer intrusion detection method, technical scheme are as follows:A kind of thing network sensing layer intrusion detection method, its
Comprise the following steps:
101st, initialize, it is empty rule base to generate a content;
102nd, thing network sensing layer node obtains and collects Site Detection data using sensor, by collected scene inspection
Survey data to train to form normal behaviour collection and intrusion behavior collection using immune genetic algorithm, and respectively by normal behaviour collection and invasion
Behavior collection is stored in the rule base in step 101, forms training rules storehouse, jumps to step 103;
103rd, when thing network sensing layer node is obtained using sensor again and collects Site Detection data, adopt and be based on
Feature detection method is judged to Site Detection data, if in the training rules storehouse in Site Detection data fit step 102
Normal behaviour collection, then judge that testing result is 1, Site Detection data be it is safe, and by resulting Site Detection data more
Newly in training rules storehouse;
If the intrusion behavior collection in training rules storehouse in Site Detection data fit step 102, judges testing result
For 0, Site Detection data are potential safety hazard data, and by the potential safety hazard data for obtaining using based on abnormal detection method detection,
If testing result is 1 again, potential safety hazard data are judged for detection wrong report data, give current and report the detection by mistake number
It is updated according to training rules storehouse is fed back to;When testing result is 0 again, then show the potential safety hazard data for invasion number
According to then the invasion data are intercepted and alert process.
Further, the immune genetic algorithm in step 102 is comprised the following steps:
A, according to the random one initial population of generation of Site Detection data, then the initial population to producing is fitted
The calculating of response fBetween certain single individuality in wherein H (i, s) expression individuality i and autologous S
Comentropy, and in autologous S containing n it is individual sort, select wherein fitness value f>0.8 individual inheritance is in the next generation;
B, while the individuality in population is carried out intersecting, mutation operation;
If C, the fitness f of population meet end condition (f>0.8) rule base is then obtained, continues instruction if being unsatisfactory for
Practice, obtain training rules storehouse.
Further, the normal behaviour collection and intrusion behavior collection in step 102 is expressed as respectively:When Site Detection data are
During A, then it is normal behaviour;When Site Detection data are B, then it is intrusion behavior collection.
Advantages of the present invention and have the beneficial effect that:
The present invention is combined with abnormality detection technology using feature detection techniques, and overcoming traditional characteristic detection method can not
The defect of unknown intrusion behavior is enough detected, known intrusion behavior can have both been detected in detection process, can have been detected again
Unknown intrusion behavior;Compared with traditional characteristic detection method or method for detecting abnormality, using such scheme have rate of false alarm,
Rate of failing to report is low, the advantage that verification and measurement ratio is high.Due to the employing of the immune genetic algorithm during the generation of rule base so that the present invention
Method has the characteristics of self-learning ability is strong, adaptivity is good.
Description of the drawings
Fig. 1 is the schematic process flow diagram of the present invention;
Fig. 2 is detection schematic block diagram;
Fig. 3 is that rule base generates renewal and workflow detail drawing.
Specific embodiment
The invention will be further elaborated to provide the embodiment of an indefiniteness below in conjunction with the accompanying drawings.
Shown in reference picture 1- Fig. 3, thing network sensing layer intrusion detection method, which comprises the following steps:
101st, initialize, it is empty rule base to generate a content;
102nd, thing network sensing layer node obtains and collects Site Detection data (such as temperature, humidity etc.) using sensor,
Collected Site Detection data are trained to form normal behaviour collection and intrusion behavior collection using immune genetic algorithm, and respectively will
Normal behaviour collection and intrusion behavior collection are stored in the rule base in step 101, form training rules storehouse, jump to step 103;
103rd, when thing network sensing layer node is obtained using sensor again and collects Site Detection data, adopt and be based on
Feature detection method is judged to Site Detection data, if in the training rules storehouse in Site Detection data fit step 102
Normal behaviour collection, then judge that testing result is 1, Site Detection data be it is safe, and by resulting Site Detection data more
Newly in training rules storehouse;
If the intrusion behavior collection in training rules storehouse in Site Detection data fit step 102, judges testing result
For 0, Site Detection data are potential safety hazard data, and by the potential safety hazard data for obtaining using based on abnormal detection method detection,
If testing result is 1 again, potential safety hazard data are judged for detection wrong report data, give current and report the detection by mistake number
It is updated according to training rules storehouse is fed back to;When testing result is 0 again, then show the potential safety hazard data for invasion number
According to then the invasion data are intercepted and alert process.
Preferably, the immune genetic algorithm in step 102 is comprised the following steps:
A, according to the random one initial population of generation of Site Detection data, then the initial population to producing is fitted
The calculating of response f(between certain the single individuality in wherein H (i, s) expression individuality i and autologous S
Comentropy, and in autologous S containing n it is individual sort, select wherein fitness value f>0.8 individual inheritance is in the next generation;
B, while the individuality in population is carried out intersecting, mutation operation;
If C, the fitness f of population meet end condition (f>0.8) rule base is then obtained, continues instruction if being unsatisfactory for
Practice, obtain training rules storehouse.
Normal behaviour collection and intrusion behavior collection in step 102 is expressed as respectively:When Site Detection data be A when, then for
Normal behaviour;When Site Detection data are B, then it is intrusion behavior collection.
Embodiment:Thing network sensing layer intrusion detection method mainly by sensing layer data collection step, rule base generate and
Step, intrusion behavior detecting step and response of step composition is updated, as shown in figure 1, sensing layer data collection step is responsible for right
The collection of data and temporarily storage;It is then to generate the rule for feature detection and abnormality detection that rule base generates and update step
Storehouse is then described, and completes timely self renewal, in the generating process of rule base, one initial kind of generation random first
Group, then carries out calculating, the sequence of fitness, selects the high individual inheritance of wherein fitness and arrive down to the initial population of generation
In a generation, at the same the individuality in population is carried out intersecting, mutation operation to strengthen ideal adaptation ability, reaching improves population mesh
, finally carry out new population and terminate judging, rule base is obtained if the fitness of population meets end condition, if being unsatisfactory for
Continue training, renewal process is by detection process, by the rule produced before the anti-benefit of result that detection module is obtained
Storehouse, reaches the effect of real-time update;Intrusion behavior detecting step is determined to Information Security, while Feedback Rule storehouse;Ring
Step is answered to be that data are made with corresponding process according to intrusion behavior detecting step message.
Complete testing process is for example following shown:
As shown in Fig. 2 data are after the collection of sensing layer data collection step, flow into reference to process, inspection in detection module
Survey, data initially enter rule base as primary data training formation rule storehouse, are then utilized by feature detection module and are formed
Rule base carry out Preliminary detection, now, if testing result is 1, show that data are safe, give current and by data feedback
In rule base, rule base is made to update in time;If testing result is 0, shows that data have potential safety hazard, then data are sent into
Detected in abnormality detection module again, when testing result is 1 again, show that Preliminary detection is reported by mistake, give current and incite somebody to action
Data feedback rule base updates;When testing result is 0 again, then shows the data to invade data, directly result is made a gift to someone
In respond module data are given with interception and alert process is made.
Rule base is generated, is updated and working condition, as shown in Figure 3:
1st, generate, when present system is used first, rule base is sky, and data are directly acted on by immune genetic algorithm
Form normal behaviour storehouse and intrusion behavior storehouse;
2nd, update, after the completion of the generation of rule base, the normal behaviour drawn by feature detection and abnormality detection is judged to
1 behavior is used to update normal behaviour storehouse, updates intrusion behavior storehouse by the intrusion behavior that abnormality detection draws;
3rd, work, the intrusion behavior and normal behaviour described in rule base enters in being respectively fed to feature detection and abnormality detection
Row is compared, and draws respective testing result.
The present invention is applied to the intrusion detection of thing network sensing layer Deviant Behavior, using intrusion detection disclosed in this invention
Method, due to being used in combination for feature detection techniques and abnormality detection technology, can reach during intrusion detection rate of false alarm it is low,
Rate of failing to report is low, the effect that verification and measurement ratio is high;And have preferable power of test to unknown intrusion behavior;There is preferable self adaptation simultaneously
Ability.
In traditional method, typically 2% or so, the method in the present invention is reduced to can rate of false alarm to its rate of false alarm
Less than 0.3%.Meanwhile, in terms of verification and measurement ratio, more than 99% can be reached.
The above embodiment is interpreted as being merely to illustrate the present invention rather than limits the scope of the invention.
After the content of the record for having read the present invention, technical staff can be made various changes or modifications to the present invention, these equivalent changes
Change and modification equally falls into the inventive method claim limited range.
Claims (2)
1. a kind of thing network sensing layer intrusion detection method, it is characterised in that comprise the following steps:
101st, initialize, it is empty rule base to generate a content;
102nd, thing network sensing layer node obtains and collects Site Detection data using sensor, by collected Site Detection number
Normal behaviour collection and intrusion behavior collection to be formed according to training using immune genetic algorithm, and respectively by normal behaviour collection and intrusion behavior
Collection is stored in the rule base in step 101, forms training rules storehouse, jumps to step 103;Wherein immune genetic algorithm includes following
Step:
A, according to the random one initial population of generation of Site Detection data, then the initial population to producing carries out fitness
The calculating of fThe information between certain single individuality in wherein H (i, s) expression individuality i and autologous S
Containing n individual sequence in entropy, and autologous S, wherein fitness value f is selected>0.8 individual inheritance is in the next generation;
B, while the individuality in population is carried out intersecting, mutation operation;
If C, the fitness f of population meet end condition f>0.8 obtains rule base, continues training, obtain if being unsatisfactory for
Training rules storehouse.
103rd, when thing network sensing layer node is obtained using sensor again and collects Site Detection data, using feature based
Detection method is judged to Site Detection data, if normal in the training rules storehouse in Site Detection data fit step 102
Behavior collection, then judge that testing result is 1, and Site Detection data are safe, and resulting Site Detection data are updated arrive
In training rules storehouse;
If the intrusion behavior collection in training rules storehouse in Site Detection data fit step 102, judges that testing result is 0,
Site Detection data are potential safety hazard data, and the potential safety hazard data for obtaining are adopted based on abnormal detection method detection, if again
Secondary testing result is 1, then judge potential safety hazard data for detection wrong report data, gives current and described will detect that wrong report data are anti-
Training rules storehouse of feeding is updated;When testing result is 0 again, then show the potential safety hazard data to invade data, then
The invasion data are intercepted and alert process.
2. thing network sensing layer intrusion detection method according to claim 1, it is characterised in that:It is normal in step 102
Behavior collection and intrusion behavior collection are expressed as respectively:When Site Detection data are A, then it is normal behaviour;When Site Detection data
For B when, then be intrusion behavior.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410211088.1A CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410211088.1A CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103973697A CN103973697A (en) | 2014-08-06 |
CN103973697B true CN103973697B (en) | 2017-03-29 |
Family
ID=51242743
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410211088.1A Active CN103973697B (en) | 2014-05-19 | 2014-05-19 | A kind of thing network sensing layer intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103973697B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104601556B (en) * | 2014-12-30 | 2017-12-26 | 中国科学院信息工程研究所 | A kind of attack detection method and system towards WEB |
US11507848B2 (en) * | 2016-08-08 | 2022-11-22 | TCL Research America Inc. | Experience-aware anomaly processing system and method |
CN106789904B (en) * | 2016-11-23 | 2019-10-25 | 北京邮电大学 | Internet of Things intrusion detection method and device |
CN106603546B (en) * | 2016-12-22 | 2020-07-28 | 北京邮电大学 | Internet of things intrusion monitoring method and device |
CN107222491B (en) * | 2017-06-22 | 2021-01-05 | 北京工业大学 | Intrusion detection rule creating method based on industrial control network variant attack |
CN110351229B (en) * | 2018-04-04 | 2020-12-08 | 电信科学技术研究院有限公司 | Terminal UE (user equipment) management and control method and device |
CN108989338A (en) * | 2018-08-20 | 2018-12-11 | 常州信息职业技术学院 | A kind of Internet of Things information prevents the immune system and its method of invasion |
CN109347870B (en) * | 2018-11-29 | 2022-01-14 | 广州大学 | Active defense system method and method based on biological immunity |
CN113630478B (en) * | 2021-10-11 | 2022-01-07 | 山东美欣医疗科技有限公司 | Dynamic monitoring system and method for multi-perception Internet of things |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030172291A1 (en) * | 2002-03-08 | 2003-09-11 | Paul Judge | Systems and methods for automated whitelisting in monitored communications |
-
2014
- 2014-05-19 CN CN201410211088.1A patent/CN103973697B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
Non-Patent Citations (1)
Title |
---|
一种混合式网络入侵检测系统;孙云等;《计算机工程》;20080531;第34卷(第9期);第1-3页 * |
Also Published As
Publication number | Publication date |
---|---|
CN103973697A (en) | 2014-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103973697B (en) | A kind of thing network sensing layer intrusion detection method | |
CN103840967B (en) | A kind of method of fault location in power telecom network | |
CN103793853B (en) | Condition of Overhead Transmission Lines Based appraisal procedure based on two-way Bayesian network | |
US9177139B2 (en) | Control system cyber security | |
CN108490370A (en) | A kind of method and apparatus of fault diagnosis | |
CN104063612B (en) | A kind of Tunnel Engineering risk profiles fuzzy evaluation method and assessment system | |
CN104166718B (en) | A kind of bad data detection and identification method suitable for bulk power grid | |
Anwar et al. | A data-driven approach to distinguish cyber-attacks from physical faults in a smart grid | |
CN114977483B (en) | Fault diagnosis system for intelligent power grid regulation control equipment | |
CN103605787B (en) | Method and system for evaluating and analyzing relay protection | |
CN109945977B (en) | Thermal fault diagnosis method and system for dry-type transformer | |
CN106709905A (en) | Vibration-proof hammer fault online detection and identification method based on binocular vision image | |
US7552035B2 (en) | Method to use a receiver operator characteristics curve for model comparison in machine condition monitoring | |
RU2013130664A (en) | METHOD FOR PERFORMING DIAGNOSTIC OF STRUCTURE SUBJECT TO LOADS AND SYSTEM FOR IMPLEMENTATION OF THE MENTIONED METHOD | |
CN108572308A (en) | fault diagnosis method and system | |
CN108446555A (en) | The method that hardware Trojan horse is monitored in real time and is detected | |
CN108205874A (en) | Geo-hazard early-warning method based on multi-parameter linkage, live master station and system | |
CN102123062B (en) | Network data anomaly detection method based on dendritic cell algorithm | |
CN104635146B (en) | Analog circuit fault diagnosis method based on random sinusoidal signal test and HMM (Hidden Markov Model) | |
He et al. | Detection of false data injection attacks leading to line congestions using Neural networks | |
CN110084795A (en) | A kind of infrared image blind pixel detection method and system based on background | |
CN109784777B (en) | Power grid equipment state evaluation method based on time sequence information fragment cloud similarity measurement | |
CN111208464A (en) | Online evaluation system and method for measurement accuracy of primary and secondary power distribution complete equipment | |
CN106789951A (en) | A kind of network web page abnormality detection realizes system | |
CN112597699B (en) | Social network rumor source identification method integrated with objective weighting method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |