CN108881277B - Method, device and equipment for monitoring wireless sensor network node intrusion - Google Patents
Method, device and equipment for monitoring wireless sensor network node intrusion Download PDFInfo
- Publication number
- CN108881277B CN108881277B CN201810750541.4A CN201810750541A CN108881277B CN 108881277 B CN108881277 B CN 108881277B CN 201810750541 A CN201810750541 A CN 201810750541A CN 108881277 B CN108881277 B CN 108881277B
- Authority
- CN
- China
- Prior art keywords
- clustering
- clustering result
- link quality
- wireless sensor
- sensor network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/18—Self-organising networks, e.g. ad-hoc networks or sensor networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for monitoring the intrusion of a wireless sensor network node, which can respectively carry out a clustering algorithm based on mathematical morphology, a clustering algorithm based on distance and a clustering algorithm based on hierarchy on received signal strength indication and link quality indication of each network node in a wireless sensor network when transmitting data, determine a final clustering result according to the obtained three clustering results, and judge whether an illegally-intruding network node exists according to the size relationship between the final clustering result and the number of nodes in the wireless sensor network. Therefore, the method integrates the three clustering methods to obtain the final clustering result, so that the clustering result is more accurate, the reliability is higher, and the purpose of monitoring illegal invasive nodes in the wireless sensor network is effectively realized. In addition, the invention also provides a device, equipment and a computer readable storage medium for monitoring the intrusion of the wireless sensor network node, and the function of the device corresponds to that of the method.
Description
Technical Field
The present invention relates to the field of wireless network security, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for monitoring intrusion of a wireless sensor network node.
Background
With the development of network technology, wireless networks have entered into the aspects of life, and the security of wireless networks has also started to draw more and more attention.
The security problem of the wireless sensor network is solved by adopting encryption and authentication methods, the encryption can ensure that an attacker cannot crack a transmitted ciphertext message to obtain a plaintext message even if obtaining the transmitted ciphertext message, and the authentication can ensure that the message comes from a legal node and verifies whether the message is modified or not.
However, the above two methods belong to passive defense and cannot realize intrusion monitoring. The encryption or authentication method is adopted to ensure the safety of data transmission, the computational complexity and energy consumption are high, the system cost is high, most importantly, the encryption or authentication method can hardly support intrusion monitoring, when the intrusion of a malicious node occurs in a wireless sensor network, the attack of the node cannot be monitored in real time, and therefore the safety of the wireless sensor network is limited.
Therefore, how to provide a reliable method for monitoring the intrusion of the wireless sensor network node has great research significance.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a computer readable storage medium for monitoring node intrusion of a wireless sensor network, which are used for solving the problem of low security caused by the fact that the traditional wireless sensor network cannot monitor the node intrusion.
In order to solve the above technical problem, the present invention provides a method for monitoring node intrusion of a wireless sensor network, comprising:
determining a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data;
clustering the link quality indicators by using a clustering algorithm based on mathematical morphology to obtain a first clustering result;
clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result;
clustering the received signal strength indication and the link quality indication by using a hierarchical clustering algorithm to obtain a third clustering result;
determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result;
and judging whether the wireless sensor network has illegally invaded network nodes according to the size relation between the final clustering result and the number of the nodes in the wireless sensor network.
Wherein the determining the final clustering result according to the first clustering result, the second clustering result and the third clustering result comprises:
assigning a first weight coefficient, a second weight coefficient and a third weight coefficient to the first clustering result, the second clustering result and the third clustering result respectively in advance, wherein the sum of the first weight coefficient, the second weight coefficient and the third weight coefficient is 1;
determining a final clustering result according to the first clustering result, the second clustering result, the third clustering result, the first weight coefficient, the second weight coefficient and the third weight coefficient;
the judging whether the network nodes invaded illegally exist in the wireless sensor network according to the size relationship between the final clustering result and the number of the nodes in the wireless sensor network comprises the following steps:
judging whether the final clustering result is larger than the number of nodes in the wireless sensor network;
and if so, the illegally invaded network node exists in the wireless sensor network.
Wherein the first weight coefficient, the second weight coefficient, and the third weight coefficient are all 1/3.
Wherein the clustering the link quality indicator by using a clustering algorithm based on mathematical morphology to obtain a first clustering result comprises:
determining a link quality step curve according to the link quality indication, wherein the abscissa of the link quality step curve is a sampling sequence number, and the ordinate of the link quality step curve is the link quality indication;
determining a subgraph region between the link quality step curve and the abscissa axis;
performing multiple operations on the subgraph region by using erosion operation in mathematical morphology to obtain a plurality of particle fractions;
determining a particle distribution curve according to the particle fraction;
and determining the first clustering result according to the particle curve.
Wherein the clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result comprises:
determining a data joint distribution graph according to the received signal strength indication and the link quality indication, wherein the abscissa of the joint distribution graph is the received signal strength indication, and the ordinate is the link quality indication;
performing clustering operation for a first preset number of times according to the data joint distribution map by using the distance-based clustering algorithm to obtain a plurality of clustering results;
and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the second clustering result.
Wherein the clustering the received signal strength indication and the link quality indication by using a hierarchical clustering algorithm to obtain a third clustering result comprises:
determining the data joint distribution map according to the received signal strength indication and the link quality indication;
performing clustering operation according to the data joint distribution map by using the hierarchical clustering algorithm to obtain a dendrogram;
intercepting the dendrogram in a second preset time intercepting mode to determine a plurality of clustering results;
and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the third clustering result.
Recording the total number of points in the data joint distribution graph as n, dividing the n points into a plurality of classes, and if i is a positive integer between 1 and n, then the calculation formula of the average contour value is
Wherein ρ (i) is a contour value of a point i in the data joint distribution graph; contour value of the point i
Wherein δ (i) is the pointi and the current class, epsilon (i) represents the minimum value of the difference between the point i and each class.
The invention also provides a device for monitoring the intrusion of the wireless sensor network node, which comprises the following components:
an indication determination module: the wireless sensor network is used for determining a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data;
the first clustering module: the link quality indicator is clustered by using a clustering algorithm based on mathematical morphology to obtain a first clustering result;
a second type of module: the clustering module is used for clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result;
a third clustering module: the clustering module is used for clustering the received signal strength indication and the link quality indication by utilizing a hierarchical clustering algorithm to obtain a third clustering result;
a final clustering result determination module: determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result;
a judging module: and judging whether illegal intrusion network nodes exist in the wireless sensor network according to the size relationship between the final clustering result and the number of the nodes in the wireless sensor network.
In addition, the invention also provides a device for monitoring the intrusion of the wireless sensor network node, which comprises:
a memory: for storing a computer program;
a processor: for executing said computer program for carrying out the steps of a method for monitoring wireless sensor network node intrusion as described above.
Finally, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of a method of monitoring intrusion by a wireless sensor network node as described above.
Therefore, the method for monitoring the intrusion of the nodes of the wireless sensor network provided by the invention can determine the received signal strength indication and the link quality indication of each network node in the wireless sensor network when transmitting data, respectively perform the clustering algorithm based on mathematical morphology, the clustering algorithm based on distance and the clustering algorithm based on hierarchy on the received signal strength indication and the link strength indication, determine the final clustering result according to the three obtained clustering results, and judge whether the network node which is illegally intruded exists according to the size relationship between the final clustering result and the number of the nodes in the wireless sensor network. Therefore, the method integrates the three clustering methods to obtain the final clustering result, so that the clustering result is more accurate, the reliability is higher, and the purpose of monitoring illegal invasive nodes in the wireless sensor network is effectively realized.
In addition, the invention also provides a device, equipment and a computer readable storage medium for monitoring the intrusion of the wireless sensor network node, wherein the function of the device and the equipment corresponds to the function of the method, and the description is omitted.
Drawings
For a clearer explanation of the embodiments of the present invention or the technical solutions of the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating an implementation of an embodiment of a method for monitoring intrusion into a wireless sensor network node according to the present invention;
FIG. 2 is a schematic diagram of erasing sub-graph regions by using structural elements in the GSD clustering algorithm provided by the present invention;
FIG. 3 is a particle distribution curve determined using a GSD clustering algorithm according to the present invention;
FIG. 4 is a schematic diagram of a clustering result determined by using a PAM clustering algorithm according to the present invention;
FIG. 5 is a graph of the clustering result obtained according to the PAM clustering algorithm provided by the present invention;
FIG. 6 is a tree diagram determined by the HAC clustering algorithm provided by the present invention;
fig. 7 is a block diagram of an embodiment of an apparatus for monitoring intrusion into a wireless sensor network node according to the present invention.
Detailed Description
The core of the invention is to provide a method, a device and a computer readable storage medium for monitoring the node intrusion of a wireless sensor network, which effectively realize the purpose of monitoring illegal node intrusion in the wireless sensor network.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following describes an embodiment of a method for monitoring intrusion of a wireless sensor network node according to the present invention.
The embodiment of the method is realized based on a clustering algorithm, clustering is a process of dividing a data object into a plurality of groups or clusters, and the objects in the same group or cluster have high similarity but are not similar to the objects in other clusters. In this embodiment, certain specific data generated by different sensor nodes in the wireless sensor network are different, so that cluster analysis is performed on certain specific data collected in one network, the number of the sensor nodes in the network can be reflected, if an invasive node is added into the network, a clustering result changes, the change of the number of the sensor nodes in the network is reflected, whether intrusion exists is judged according to the change, and intrusion monitoring is achieved.
Referring to fig. 1, the method embodiment mainly includes:
step S101: a received signal strength indication and a link quality indication of each network node in the wireless sensor network at the time of transmitting data are determined.
As shown in step S101, the basis for determining whether there is an illegal node is the received signal strength indication and the link quality indication in this embodiment. Among them, the Received Signal Strength Indicator (RSSI) is a parameter used to determine the link quality, determine whether to increase the transmission Strength to ensure the data transmission, and it attenuates with the increase of the distance, and the normal value range is [ -113, -93 ]. A Link Quality Indicator (LQI) is a parameter used to indicate the strength of a communication connection, and is expressed in dBm (decibel-milliwatt), and the LQI ranges from 0 to 255. The RSSI and the LQI can be directly read in a header file in each received data packet, and are parameters transmitted by default when data is transmitted, so that the two parameters are the most basic parameters in the wireless sensor network and are also parameters which are easier to collect and extract.
Existing studies of RSSI and LQI are mainly used for positioning and ranging. And calculating the physical distance between the wireless sensing node and the node by using the RSSI and the LQI generated when the node sends data, thereby finally judging the position of the node.
Step S102: and clustering the link quality indicators by using a clustering algorithm based on mathematical morphology to obtain a first clustering result.
This is particularly noted. The first clustering result, the second clustering result, the third clustering result and the final clustering result referred to in the invention all refer to the number of clusters.
A clustering algorithm (abbreviated as GSD) based on mathematical morphology, which can be realized by the following steps:
determining a link quality step curve according to the link quality indication, wherein the abscissa of the link quality step curve is a sampling sequence number, and the ordinate of the link quality step curve is the link quality indication; determining a subgraph region between the link quality step curve and the abscissa axis; performing multiple operations on the subgraph region by using erosion operation in mathematical morphology to obtain a plurality of particle fractions; determining a particle distribution curve according to the particle fraction; and determining the first clustering result according to the particle curve.
Step S103: and clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result.
An algorithm (PAM for short) based on distance clustering can be realized by the following steps:
determining a data joint distribution graph according to the received signal strength indication and the link quality indication, wherein the abscissa of the joint distribution graph is the received signal strength indication, and the ordinate is the link quality indication; performing clustering operation for a first preset number of times according to the data combined distribution graph by using the distance-based clustering algorithm to obtain a plurality of clustering results; and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the second clustering result.
Regarding the average contour value, a specific calculation method may be as follows:
recording the total number of points in the data joint distribution graph as n, dividing the n points into a plurality of classes, and if i is a positive integer between 1 and n, calculating the average contour value by the formula
Wherein ρ (i) is a contour value of a point i in the data joint distribution graph; contour value of the point i
Wherein δ (i) is the difference between the point i and the current class, and ε (i) represents the minimum value of the difference between the point i and each class.
Step S104: and clustering the received signal strength indication and the link quality indication by using a hierarchical clustering algorithm to obtain a third clustering result.
The Hierarchical Clustering-based algorithm (HAC) can be realized by the following steps:
determining the data joint distribution map according to the received signal strength indication and the link quality indication; performing clustering operation according to the data joint distribution diagram by using the hierarchical clustering algorithm to obtain a dendrogram; intercepting the treemap in a second preset times of intercepting mode to determine a plurality of clustering results; and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the third clustering result.
Step S105: and determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result.
The characteristic signals in the sensor network are subjected to different angle pairs by using three clustering algorithms of GSD, PAM and HAC: and analyzing and clustering the RSSI and the LQI, wherein each clustering algorithm generates a clustering result, namely the clustering number, generating a contour map for the PAM and the HAC by a contour coefficient method to obtain an optimal clustering result, and the clustering number reflects the number of the sensor nodes in the network. Because a single clustering algorithm is easy to generate deviation and results are unreliable, clustering results of three clustering algorithms are weighted and averaged to obtain a more accurate and reliable clustering result, the number of sensor nodes in a network is monitored in real time, and when a new intrusion node is added into the network, the clustering result is changed, so that the intrusion monitoring effect is achieved.
Therefore, a first weight coefficient, a second weight coefficient, and a third weight coefficient may be respectively assigned to the first clustering result, the second clustering result, and the third clustering result in advance. Finally, the results of GSD, PAM and HAC clustering can be weighted averaged:
wherein the content of the first and second substances,
the results of GSD, PAM and HAC clustering, i.e. the first clustering result, the second clustering result and the third clustering result, respectively. Omega1、ω2And ω2The weights of the GSD, PAM and HAC clustering algorithms, i.e. the first weight coefficient, the second weight coefficient and the third weight coefficient, and omega1+ω2+ω 31. Since the three clustering algorithms analyze and process the RSSI and LQI data from different angles in the present embodiment, the above three weighting coefficients can be set to 1/3.
Step S106: and judging whether the wireless sensor network has illegally invaded network nodes according to the size relation between the final clustering result and the number of the nodes in the wireless sensor network.
Specifically, whether the final clustering result is larger than the number of nodes in the wireless sensor network or not can be judged; if the number of the network nodes is larger than the preset number, illegal invasion network nodes exist in the wireless sensor network; and if the number is not larger than the preset value, the illegal invasion network node does not exist in the wireless sensor network.
Tests show that the RSSI and the LQI are clustered by adopting GSD, PAM and HAC clustering algorithms under the condition of using the same hardware, and the change of the number of nodes in the network can be monitored according to the change and the non-change of a clustering result. Under the condition of not increasing hardware cost and not changing original data, the data is subjected to clustering processing by using the characteristics of the data, clustering results are integrated, information of the number of nodes in the network is obtained, whether the number of the nodes in the network changes or not is detected, whether new malicious nodes are added in the network or not is judged, and intrusion monitoring is achieved. The arrangement cost and the calculation overhead are reduced, and the network security is improved.
The following three implementation processes of the clustering algorithm are respectively introduced in detail:
firstly, the implementation process of the clustering algorithm based on mathematical morphology, i.e. GSD clustering, may specifically be as follows:
and converting the collected LQI data into a step equation, and drawing the step equation on a two-dimensional coordinate system (an X coordinate system and a Y coordinate system) in sequence to form a link quality indication step curve graph, wherein the abscissa is a sampling sequence number and the ordinate is link quality. The region formed between this step curve and the X-axis of the coordinate axis is called a sub-map region. The sub-map region is then "eroded" (erased) step by step using the erosion operation in mathematical morphology until the sub-map region area is 0. The method comprises the following specific steps:
11) the total area of the sub-graph regions is calculated.
12) The unit square with a side length of 1 is determined as the basic structural element.
13) This structural element is used as an "eraser" to "erode" (erase) a region of the sub-image region corresponding to and only in the vertical direction to the size of the area of this structural element, and the area of the "eroded" region is calculated, as shown in fig. 2. In fig. 2, a square with a side length of 1 unit is used as a structural element to erase a sub-image region, and a dotted line portion is an "erased" sub-image region corresponding to and only corresponding to the size of the structural element in the vertical direction. It can be seen that the total "erased" regions are 5 unit squares, with an area of 5, while the total sub-image region area of 57, has a particle fraction of 5/57. And adding a unit square to the structural element in the horizontal direction to form a new structural element, and cutting the rest sub-image area to obtain the corresponding particle fraction. And circulating the steps, and adding a unit square in the horizontal direction each time to serve as a new structural element to erase the rest sub-picture area until the whole sub-picture area is erased.
14) The ratio of the area "eroded" to the total area of the sub-image region is found and is referred to as the particle fraction.
15) Adding a unit square to the basic structural element in the horizontal direction each time to form a new structural element, and then repeating the steps 3) and 4) until all the sub-map areas are erased by the structural element.
Thus, each erasure will generate a particle fraction, and the particle fractions are arranged according to the length sequence of the structural elements to obtain a particle fraction set. The cumulative distribution function of the particle fraction is obtained and converted into a step equation, and the function is plotted on an X-Y plane coordinate system, wherein the abscissa is the length of the structural element (the number of unit squares), and the ordinate is the cumulative distribution of the particles. This cumulative distribution curve is the particle distribution curve for the link quality, as shown in fig. 3. Fig. 3 shows the particle distribution curve of the stepwise equation of fig. 2, wherein the ordinate represents the cumulative particle distribution and the abscissa represents the length of the structural element. As can be seen from fig. 3, the particle accumulation distribution does not change from the structural element having a length of 5 to the structural element having a length of 9, indicating that there is no region corresponding to the area size of the corresponding structural element in the vertical direction within the sub-map region.
And finally, clustering the particle distribution curve, wherein the curve clustering result reflects the number of nodes in the network.
The realization principle of the algorithm for monitoring the illegal invasive node is as follows: link quality particle distribution profiles for different nodes due to link quality characteristics that are susceptible to interference and change with distance
Secondly, the distance-based clustering algorithm, i.e. the PAM clustering, may be implemented as follows:
the collected RSSI data is set as an abscissa (X-axis coordinate), and the collected LQI data is set as an ordinate (Y-axis coordinate). And the RSSI and LQI data collected by each sampling point are used as a two-dimensional coordinate point (RSSI, LQI) and are sequentially drawn on a two-dimensional coordinate system (X, Y coordinate system) to form an RSSI-LQI data combined distribution diagram, wherein the abscissa is the RSSI and the ordinate is the LQI.
And then clustering the objects by using a PAM algorithm, wherein the core idea of the PAM algorithm is to randomly select K objects as central points, and then repeatedly replace the central points with other non-central nodes, so that the clustering quality is improved. Then, generating a contour map of each clustering, and determining the optimal classification number by comparing the contour maps. PAM clustering specifically comprises the following steps:
21) and plotting the RSSI and the LQI data on a two-dimensional X, Y coordinate system to form an RSSI-LQI data joint distribution map.
22) The joint data was clustered by PAM clustering algorithm, and the clustering result is shown in fig. 4. Fig. 4 shows the clustering result of the primary PAM clustering, with RSSI on the X-axis abscissa and LQI on the Y-axis ordinate. The figure shows that all RSSI and LQI data are classified into four categories, indicating that a total of 4 nodes are transmitting in the wireless sensor network.
23) An outline of this clustering is generated, as shown in fig. 5, and fig. 5 shows an outline of the clustering result in fig. 4. The ordinate represents the number of classifications, the abscissa represents the size of the contour value, and the average contour value of this cluster is 0.8932. As can be seen from the figure, the contour value of each of the 4 clusters is plotted on the coordinate axis, and the degree of superiority of each cluster can be visually observed. And calculating the average contour value of the cluster
n is the sample capacity of the cluster.
24) Repeating for many times, and selecting the clustering result with the maximum average contour value as a second clustering result.
It should be noted that the selection of the optimal number of classifications may not be certain for a given set of RSSI and LQI data. In the invention, the degree of superiority of data classification is tested by using each clustering contour map, and statistically significant classification is determined so as to help select a proper category number. And (5) repeating the step (23) for at least 50 times, selecting the maximum average contour value, wherein the clustering result is the optimal clustering result, and the clustering number is the optimal clustering number.
Therefore, the problem that the optimal classification number is uncertain can be solved by selecting the maximum value of the average contour value, and the excellent degree of classification is ensured to the maximum extent. And determining the number of nodes in the network according to the obtained optimal clustering number.
The principle of the algorithm for monitoring the illegal invasive nodes is as follows: if a node in a known topology is suddenly attacked (data stealing, copying, etc.) by a spy node in other topologies arranged in the same geographical area during data transmission, the RSSI and LQI thereof will interfere with corresponding changes, resulting in a change in the number of finally obtained optimal classifications. Through PAM clustering and the optimal classification number obtained through the contour map generated by clustering each time, the change of the number of nodes in the network can be visually observed on the premise of not changing the original data, thereby judging whether the network is attacked or not.
Thirdly, the hierarchical clustering algorithm, i.e. the implementation process of HAC clustering, may specifically be as follows:
the collected RSSI data is set as an abscissa (X-axis coordinate), and the collected LQI data is set as an ordinate (Y-axis coordinate). And the RSSI and LQI data collected by each sampling point are used as a two-dimensional coordinate point (RSSI, LQI) and are sequentially drawn on a two-dimensional coordinate system (X, Y coordinate system) to form an RSSI-LQI data combined distribution diagram, wherein the abscissa is the RSSI and the ordinate is the LQI.
And then clustering it with HAC algorithm. The method of hierarchical clustering may be cohesive or split, depending on whether the hierarchical decomposition is formed in a bottom-up (merging) or top-down (splitting) manner. The method of clustering used here may be hierarchical clustering, which uses a bottom-up strategy. Starting with each object forming its own cluster and iteratively merging clusters into larger and larger clusters until all objects are in one cluster, or some termination condition is met. In the merging step, the two closest clusters are found according to some similarity measure and merged to form one cluster. Because each iteration merges two clusters, each of which contains at least one object, the agglomeration method requires a maximum of n iterations. Hierarchical clustering is typically represented using a tree structure called a tree diagram that shows how objects are grouped together step by step. The specific steps of HAC clustering are as follows:
31) and plotting the RSSI and the LQI data on a two-dimensional X, Y coordinate system to form an RSSI-LQI data joint distribution map.
32) The joint data is clustered by using the HAC clustering algorithm, and finally a tree-shaped graph is obtained, wherein the clustering result is shown in FIG. 6. Fig. 6 shows a tree diagram obtained by performing hierarchical clustering on RSSI and LQI data according to an aggregation method, where the obtained cluster number is different according to different interception standards, for example, interception standard 2 indicates that the cluster number is 3, interception standard 3 indicates that the cluster number is 2, and so on. The further processing is to perform contour coefficient graph analysis on the clustering results obtained by each interception standard, and the interception standard is adopted when the average contour coefficient of the clustering results obtained by which interception standard is closer to 1.
33) In the tree diagram, the determined number of clusters is also different according to different interception criteria, as shown in fig. 6. And then, carrying out contour coefficient analysis on different clustering results by adopting a contour coefficient method to obtain a contour map, and obtaining an optimal clustering result according to the contour map.
The principle of monitoring illegal invasive nodes by the HAC clustering algorithm is as follows: if a node in a known topological structure is suddenly attacked by a spy node (data stealing, copying, etc.) arranged in other topological structures in the same geographical area in the data transmission process, the RSSI and LQI thereof interfere with corresponding changes, so that the finally obtained optimal classification number changes. The optimal classification number is obtained through the HAC clustering and the contour maps generated by different interception standards, and the change of the number of the nodes in the network can be visually observed on the premise of not changing the original data, so that whether the network is attacked or not is judged.
In summary, the method for monitoring intrusion of a wireless sensor network node provided in this embodiment can determine a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data, perform a mathematical morphology-based clustering algorithm, a distance-based clustering algorithm, and a hierarchy-based clustering algorithm on the received signal strength indication and the link strength indication, determine a final clustering result according to the obtained three clustering results, and determine whether there is an illegally-intruding network node according to a size relationship between the final clustering result and the number of nodes in the wireless sensor network. Therefore, the method integrates the three clustering methods to obtain the final clustering result, so that the clustering result is more accurate, the reliability is higher, and the purpose of monitoring illegal invasive nodes in the wireless sensor network is effectively realized.
In the following, a device for monitoring intrusion of a wireless sensor network node according to an embodiment of the present invention is introduced, and a device for monitoring intrusion of a wireless sensor network node described below and a method for monitoring intrusion of a wireless sensor network node described above may be referred to correspondingly.
Referring to fig. 7, the apparatus embodiment comprises:
the instruction determining module 701: the wireless sensor network is used for determining a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data;
the first clustering module 702: the link quality indicator is clustered by using a clustering algorithm based on mathematical morphology to obtain a first clustering result;
the second clustering module 703: the device is used for clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result;
the third clustering module 704: the clustering algorithm is used for clustering the received signal strength indication and the link quality indication to obtain a third clustering result;
the final clustering result determining module 705: determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result;
the judging module 706: and judging whether the wireless sensor network has network nodes which are illegally invaded according to the size relationship between the final clustering result and the number of the nodes in the wireless sensor network.
The apparatus for monitoring intrusion of a wireless sensor network node provided in this embodiment is used to implement the foregoing method for monitoring intrusion of a wireless sensor network node, and therefore a specific implementation manner of the apparatus may be found in the foregoing embodiment portions of the method for monitoring intrusion of a wireless sensor network node, for example, the indication determining module 701, the first clustering module 702, the second clustering module 703, the third clustering module 704, the final clustering result determining module 705, and the determining module 706 are respectively used to implement steps S101, S102, S103, S104, S105, and S106 in the foregoing method for monitoring intrusion of a wireless sensor network node. Therefore, specific embodiments thereof may be referred to in the description of the corresponding respective partial embodiments, and will not be described herein.
In addition, since the apparatus for monitoring intrusion of a wireless sensor network node provided in this embodiment is used to implement the foregoing method for monitoring intrusion of a wireless sensor network node, the role of the apparatus corresponds to that of the foregoing method, and details are not described here.
In addition, the invention also provides a device for monitoring the intrusion of the wireless sensor network node, which comprises:
a memory: for storing a computer program;
a processor: for executing said computer program for carrying out the steps of a method for monitoring wireless sensor network node intrusion as described above.
Finally, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of a method of monitoring intrusion by a wireless sensor network node as described above.
Since the device for monitoring intrusion of a wireless sensor network node and the computer-readable storage medium provided by the present invention are used for implementing the foregoing method for monitoring intrusion of a wireless sensor network node, the implementation manner thereof can refer to the description of the foregoing method embodiment, and will not be described herein again, and moreover, the role thereof corresponds to the role of the foregoing method, and will not be described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, apparatus, device and computer readable storage medium for monitoring intrusion into a wireless sensor network node provided by the present invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can be made to the present invention, and these improvements and modifications also fall into the protection scope of the claims of the present invention.
Claims (7)
1. A method for monitoring intrusion of a wireless sensor network node is characterized by comprising the following steps:
determining a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data;
clustering the link quality indicators by using a clustering algorithm based on mathematical morphology to obtain a first clustering result;
clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result;
clustering the received signal strength indication and the link quality indication by using a hierarchical clustering algorithm to obtain a third clustering result;
determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result;
judging whether illegal invasive network nodes exist in the wireless sensor network according to the size relation between the final clustering result and the number of the nodes in the wireless sensor network;
the clustering the link quality indicator by using a clustering algorithm based on mathematical morphology to obtain a first clustering result comprises:
determining a link quality step curve according to the link quality indication, wherein the abscissa of the link quality step curve is a sampling sequence number, and the ordinate of the link quality step curve is the link quality indication;
determining a subgraph region between the link quality step curve and the abscissa axis;
performing multiple operations on the subgraph region by using erosion operation in mathematical morphology to obtain a plurality of particle fractions;
determining a particle distribution curve according to the particle fraction;
determining the first clustering result according to the particle curve;
the clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result comprises:
determining a data joint distribution graph according to the received signal strength indication and the link quality indication, wherein the abscissa of the joint distribution graph is the received signal strength indication, and the ordinate is the link quality indication;
performing clustering operation for a first preset number of times according to the data joint distribution map by using the distance-based clustering algorithm to obtain a plurality of clustering results;
determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the second clustering result;
the clustering the received signal strength indication and the link quality indication by using a hierarchical clustering algorithm to obtain a third clustering result comprises:
determining the data joint distribution map according to the received signal strength indication and the link quality indication;
performing clustering operation according to the data joint distribution diagram by using the hierarchical clustering algorithm to obtain a dendrogram;
intercepting the dendrogram in a second preset time intercepting mode to determine a plurality of clustering results;
and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the third clustering result.
2. The method of claim 1, wherein determining a final clustering result based on the first clustering result, the second clustering result, and the third clustering result comprises:
assigning a first weight coefficient, a second weight coefficient and a third weight coefficient to the first clustering result, the second clustering result and the third clustering result respectively in advance, wherein the sum of the first weight coefficient, the second weight coefficient and the third weight coefficient is 1;
determining a final clustering result according to the first clustering result, the second clustering result, the third clustering result, the first weight coefficient, the second weight coefficient and the third weight coefficient;
the judging whether the network node invaded illegally exists in the wireless sensor network according to the size relationship between the final clustering result and the number of the nodes in the wireless sensor network comprises the following steps:
judging whether the final clustering result is larger than the number of nodes in the wireless sensor network;
and if so, the illegally invaded network node exists in the wireless sensor network.
3. The method of claim 2, wherein the first weight coefficient, the second weight coefficient, and the third weight coefficient are each 1/3.
4. The method of claim 1, wherein the total number of points in the data joint distribution map is represented as n, n points are divided into a plurality of classes, i is a positive integer between 1 and n, and the average contour value is calculated as
Wherein ρ (i) is a contour value of a point i in the data joint distribution graph; contour value of the point i
Wherein δ (i) is the difference degree between the point i and the current class, and ε (i) represents the minimum value of the difference degree between the point i and each class.
5. An apparatus for monitoring intrusion into a wireless sensor network node, comprising:
an indication determination module: the wireless sensor network is used for determining a received signal strength indication and a link quality indication of each network node in the wireless sensor network when transmitting data;
the first clustering module: the link quality indicator is clustered by using a clustering algorithm based on mathematical morphology to obtain a first clustering result;
a second type of module: the clustering module is used for clustering the received signal strength indication and the link quality indication by using a distance-based clustering algorithm to obtain a second clustering result;
a third clustering module: the clustering module is used for clustering the received signal strength indication and the link quality indication by utilizing a clustering algorithm based on a hierarchy to obtain a third clustering result;
a final clustering result determination module: determining a final clustering result according to the first clustering result, the second clustering result and the third clustering result;
a judging module: the network node is used for judging whether the wireless sensor network has illegal invasion according to the size relation between the final clustering result and the number of the nodes in the wireless sensor network;
the first clustering module is configured to:
determining a link quality step curve according to the link quality indication, wherein the abscissa of the link quality step curve is a sampling sequence number, and the ordinate of the link quality step curve is the link quality indication;
determining a subgraph region between the link quality step curve and the abscissa axis;
performing multiple operations on the subgraph region by using erosion operation in mathematical morphology to obtain a plurality of particle fractions;
determining a particle distribution curve according to the particle fraction;
determining the first clustering result according to the particle curve;
the second clustering module is to:
determining a data joint distribution graph according to the received signal strength indication and the link quality indication, wherein the abscissa of the joint distribution graph is the received signal strength indication, and the ordinate is the link quality indication;
performing clustering operation for a first preset number of times according to the data joint distribution map by using the distance-based clustering algorithm to obtain a plurality of clustering results;
determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the second clustering result;
the third clustering module is configured to:
determining the data joint distribution map according to the received signal strength indication and the link quality indication;
performing clustering operation according to the data joint distribution diagram by using the hierarchical clustering algorithm to obtain a dendrogram;
intercepting the dendrogram in a second preset time intercepting mode to determine a plurality of clustering results;
and determining the clustering result with the maximum average contour value in the clustering results, and taking the clustering result with the maximum average contour value as the third clustering result.
6. An apparatus for monitoring intrusion into a wireless sensor network node, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program for carrying out the steps of a method of monitoring intrusion by a wireless sensor network node according to any one of claims 1-4.
7. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of a method of monitoring intrusion by a wireless sensor network node according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810750541.4A CN108881277B (en) | 2018-07-10 | 2018-07-10 | Method, device and equipment for monitoring wireless sensor network node intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810750541.4A CN108881277B (en) | 2018-07-10 | 2018-07-10 | Method, device and equipment for monitoring wireless sensor network node intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881277A CN108881277A (en) | 2018-11-23 |
| CN108881277B true CN108881277B (en) | 2021-04-16 |
Family
ID=64300558
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810750541.4A Active CN108881277B (en) | 2018-07-10 | 2018-07-10 | Method, device and equipment for monitoring wireless sensor network node intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881277B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936848A (en) * | 2019-03-01 | 2019-06-25 | 广东工业大学 | A kind of detection method, device and the computer readable storage medium of puppet access point |
| RU2744808C2 (en) * | 2019-05-07 | 2021-03-16 | Федеральное государственное бюджетное образовательное учреждение высшего образования "Владимирский Государственный Университет имени Александра Григорьевича и Николая Григорьевича Столетовых" (ВлГУ) | Method for local positioning of an information security intruder node in mobile data transmission systems |
| CN110266680B (en) * | 2019-06-17 | 2021-08-24 | 辽宁大学 | Industrial communication anomaly detection method based on dual similarity measurement |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286872A (en) * | 2008-05-29 | 2008-10-15 | 上海交通大学 | Distributed intrusion detection method in wireless sensor network |
| CN103763703A (en) * | 2014-01-09 | 2014-04-30 | 广州中国科学院先进技术研究所 | Wireless network attack detection method based on mathematical morphology |
| CN104010311A (en) * | 2014-05-30 | 2014-08-27 | 广州中国科学院先进技术研究所 | Wireless sensor network intrusion detection method based on PAM clustering algorithm |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI372369B (en) * | 2008-06-04 | 2012-09-11 | Univ Nat Chiao Tung | Intruder detection system and method |
| US8710983B2 (en) * | 2012-05-07 | 2014-04-29 | Integrated Security Corporation | Intelligent sensor network |
-
2018
- 2018-07-10 CN CN201810750541.4A patent/CN108881277B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286872A (en) * | 2008-05-29 | 2008-10-15 | 上海交通大学 | Distributed intrusion detection method in wireless sensor network |
| CN103763703A (en) * | 2014-01-09 | 2014-04-30 | 广州中国科学院先进技术研究所 | Wireless network attack detection method based on mathematical morphology |
| CN104010311A (en) * | 2014-05-30 | 2014-08-27 | 广州中国科学院先进技术研究所 | Wireless sensor network intrusion detection method based on PAM clustering algorithm |
Non-Patent Citations (3)
| Title |
|---|
| "A Granulometric Size Distribution based Intrusion Detection Method for WSN";Xiaoling Wu;《IEEE》;20150315;全文 * |
| "RSSI and LQI Data Clustering Techniques to Determine the Number of Nodes in Wireless Sensor Networks";Xiaoling Wu;《Missouri University of Science and Technology Scholars" Mine》;20140501;全文 * |
| "周界入侵检测中基于WSN的目标定位算法";汪麟;《计算机工程》;20130930;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108881277A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN108881277B (en) | Method, device and equipment for monitoring wireless sensor network node intrusion | |
| Liu et al. | Attack-resistant location estimation in wireless sensor networks | |
| Liu et al. | Attack-resistant location estimation in sensor networks | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| CN106506556A (en) | A kind of network flow abnormal detecting method and device | |
| CN112788066B (en) | Abnormal flow detection method and system for Internet of things equipment and storage medium | |
| Xie et al. | Histogram-based online anomaly detection in hierarchical wireless sensor networks | |
| CN111049680B (en) | Intranet transverse movement detection system and method based on graph representation learning | |
| KR20080066653A (en) | Method and apparatus for whole-network anomaly diagnosis and methods to detect and classify network anomalies using traffic feature distributions | |
| CN108684038A (en) | The hiding data attack detection method that mechanism is evaluated with hierarchical trust is calculated based on mist | |
| Aminanto et al. | Another fuzzy anomaly detection system based on ant clustering algorithm | |
| CN104618908B (en) | The method and apparatus that distributed cognition wireless network is attacked anti-distort perception data | |
| Ding et al. | The DPC-based scheme for detecting selective forwarding in clustered wireless sensor networks | |
| CN109936848A (en) | A kind of detection method, device and the computer readable storage medium of puppet access point | |
| Lin et al. | A sybil-resistant truth discovery framework for mobile crowdsensing | |
| Harrison et al. | Interactive detection of network anomalies via coordinated multiple views | |
| CN104010311A (en) | Wireless sensor network intrusion detection method based on PAM clustering algorithm | |
| CN112437440A (en) | Malicious collusion attack resisting method based on correlation theory in wireless sensor network | |
| Xiao et al. | An anomaly detection scheme based on machine learning for WSN | |
| CN114884755B (en) | Network security protection method and device, electronic equipment and storage medium | |
| Wei et al. | Detecting anomaly data for IoT sensor networks | |
| CN105636052B (en) | Detection method, node apparatus and the system of wireless sensor network malicious node | |
| Huang | Application of computer data mining technology based on AKN algorithm in denial of service attack defense detection | |
| CN114417270A (en) | Information safety protection method based on edge calculation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |