CN108920356A - A kind of sensing node method for detecting abnormality of task based access control execution track model - Google Patents

A kind of sensing node method for detecting abnormality of task based access control execution track model Download PDF

Info

Publication number
CN108920356A
CN108920356A CN201810548226.3A CN201810548226A CN108920356A CN 108920356 A CN108920356 A CN 108920356A CN 201810548226 A CN201810548226 A CN 201810548226A CN 108920356 A CN108920356 A CN 108920356A
Authority
CN
China
Prior art keywords
task
abnormal
section
execution
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810548226.3A
Other languages
Chinese (zh)
Other versions
CN108920356B (en
Inventor
马峻岩
张颖
王瑾
李易
张特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changan University
Original Assignee
Changan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changan University filed Critical Changan University
Priority to CN201810548226.3A priority Critical patent/CN108920356B/en
Publication of CN108920356A publication Critical patent/CN108920356A/en
Application granted granted Critical
Publication of CN108920356B publication Critical patent/CN108920356B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/366Software debugging using diagnostics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention provides a kind of sensing node method for detecting abnormality of task based access control execution track model, analysis is carried out to task execution track and establishes task execution model, and the abnormal section of task execution locus model progress executed extremely is detected to realize using a category support vector machines disaggregated model and quickly positions exception section and abnormal generation moment;Significance test further is carried out to all tasks executed in application program using hypothesis testing after determining abnormal ranges, comparative analysis, which is normally executed, determines possible abnormal execution task with the abnormal difference for executing task execution situation;Model accuracy rate with higher and low false detection rate can be determined by Performance Evaluation of the testing result to OCSVM disaggregated model.

Description

A kind of sensing node method for detecting abnormality of task based access control execution track model
Technical field
The present invention relates to wireless sensor network technology field, in particular to a kind of sense of task based access control execution track model Know node anomaly detection method.
Background technique
In recent years, wireless sensor network using more and more extensive so that its network structure becomes increasingly complex, function is got over Come that more perfect, the degree of automation is also higher and higher, promotes the fast development of intelligent transportation system.However, due to traffic system Itself it is one to contain much information, the strong complex gigantic system of dynamic, so that wireless sensor network is in the application by various nothings The factor that method avoids influences and application environment is complicated severe, causes wireless sensor network to be likely to occur environment in the process of running dry It disturbs, hardware failure and the problems such as software failure.These problems not only will affect network performance, while also resulting in node and occurring not Predictable exception causes heavy losses even network paralysis.Meanwhile the complete and network knot of wireless sensor network functionally Structure becomes increasingly complex, and to wireless sensor network fault detection, more stringent requirements are proposed.
Sensor network fault can substantially be divided into three classes:Application failure, network failure and node failure [4].Using event Hindering possible manifestation mode has perception data missing, detection delay are longer and life cycle is too short etc.;And link failure, data packet Loss, network congestion, route loop and network fracture then belong to network failure scope;Node failure include restart, damage, hardware Failure, without response, energy pre-mature exhaustion, sensor reading failure and faulty software behavior.Accurately and effectively method for diagnosing faults Diagnosis, prevention and reparation can be made to various abnormalities in time, improve sensor network reliability of operation, safety and Validity ensures complete function and the long-term and effective operation of sensor network.
Exception definition is a kind of mode not being inconsistent with desired normal behaviour.Therefore, a kind of most direct for abnormal behaviour Effective detection method is to define the range or correlated characteristic of an expression normal behaviour, then observes in data and be not belonging to normal model The data enclosed or do not have correlated characteristic under normal circumstances can be determined as abnormal data.However, wireless sensor network The where the shoe pinches of the realization of abnormality detection are not to judge whether data belong to normal range (NR) and whether data have normal number According to correlated characteristic, it is mostly important and what is be difficult to realize is determining normal range (NR) and obtains correlated characteristic under normal circumstances.It is different Normal detection field scholar needs to overcome lot of challenges in terms of determining normal behaviour mode, mainly includes:
(1) be difficult to define one include all possible normal behaviour range.
(2) some exceptions from malicious attacker to become its identification by the forms of expression of normal mode It is difficult.
(3) development of the advanced technologies such as information technology and radio technology is so that wireless sensor is also gradually applied to newly Field, and existing exception definition is not appropriate for the abnormality detection of new application field.
(4) it cannot go to define the exception in different application fields with a determining exception definition.
(5) it is difficult to obtain accurate, representative training dataset and validation data set.
Summary of the invention
Aiming at the problems existing in the prior art, the object of the present invention is to provide a kind of task based access control execution track moulds The sensing node method for detecting abnormality of type, this method can accurately obtain the abnormal task in the source code in sensing node.
To achieve the goals above, the present invention adopts the following technical scheme that:
A kind of sensing node method for detecting abnormality of task based access control execution track model, this method is for obtaining sensing node In source code in abnormal task, include the following steps:
Step 1, the experience table of running in abnormal source code and normal source code for task is extracted respectively, point It is not denoted as abnormal task execution record and normal tasks execute record;Experience table includes timestamp information and task I D;
Step 2:It is based respectively on abnormal task execution record and normal tasks executes record, utilize and execute the building of task track Method constructs abnormal task execution track model and normal tasks execution track model;
Step 3:OCSVM classification mould is obtained by the method training of feature extraction using normal tasks execution track model Type;
Step 4, by abnormal task execution track mode input into OCSVM disaggregated model, an abnormal section is exported, it should Abnormal section includes multiple sections;
Step 5, for each task, execution frequency of the task in each section in abnormal section is extracted, is formed The corresponding abnormal task of the task executes frequency vector;For each task, the task is extracted in normal tasks execution track mould The execution frequency in each section in type forms the corresponding normal tasks of the task and executes frequency vector;
Step 6, for each task, frequency vector sum normal tasks is executed to the corresponding abnormal task of the task and execute frequency Number vector carries out double sample T inspection, and exporting the task is normal tasks or abnormal task, and all abnormal tasks can be obtained.
Specifically, the execution task track construction method in the step 2, includes the following steps:
Using timestamp information, record is executed to abnormal task according to the time window being sized and carries out interval division, is obtained To multiple sections;For each section, the execution frequency of each task in the section, the execution frequency shape of all tasks are counted At the corresponding section frequency vector in the section;The corresponding section in all sections executes frequency vector and forms abnormal task execution track Model;
Using timestamp information, record is executed to normal tasks according to the time window being sized and carries out interval division, is obtained To multiple sections;For each section, the execution frequency of each task in the section, the execution frequency shape of all tasks are counted At the corresponding section frequency vector in the section;The corresponding section in all sections executes frequency vector and forms normal tasks execution track Model.
Compared with prior art, the present invention has the following technical effects:
The present invention carries out analysis to task execution track and establishes task execution model, and uses a category support vector machines (OCSVM) disaggregated model realizes quickly positioning exception to the abnormal section detection of the task execution locus model progress executed extremely Section and abnormal generation moment;Further utilize hypothesis testing to all executed in application program after determining abnormal ranges Business carries out significance test, and comparative analysis, which is normally executed, determines that possible exception is held with the abnormal difference for executing task execution situation Row task;By Performance Evaluation of the testing result to OCSVM disaggregated model can determine model accuracy rate with higher and Low false detection rate.
Explanation and illustration in further detail is made to the solution of the present invention with reference to the accompanying drawings and detailed description.
Detailed description of the invention
Fig. 1 is the network topological diagram in embodiment.
Specific embodiment
The present invention provides a kind of sensing node method for detecting abnormality of task based access control execution track model, and this method is for obtaining The abnormal task in the source code in sensing node is taken, source code is run in sensing node, is included the following steps:
Step 1, the experience table of running in abnormal source code and normal source code for task is extracted respectively, point It is not denoted as abnormal task execution record and normal tasks execute record;Experience table includes timestamp information and task I D. Wherein, the experience table of running in abnormal source code and normal source code for task, the side of use are extracted respectively Method is as follows:
Code pitching pile, compilation run are carried out to source code, obtain journal file, task execution note is extracted from journal file Record, which includes timestamp information and task I D.Experience table and task correlation function call record group At journal file.
Step 2:It is based respectively on abnormal task execution record and normal tasks executes record, utilize and execute the building of task track Method constructs abnormal task execution track model and normal tasks execution track model.
Step 3:OCSVM classification mould is obtained by the method training of feature extraction using normal tasks execution track model Type.
Step 4, by abnormal task execution track mode input into OCSVM disaggregated model, an abnormal section is exported, it should Abnormal section includes multiple sections.
Step 5, for each task, execution frequency of the task in each section in abnormal section is extracted, is formed The corresponding abnormal task of the task executes frequency vector;For each task, the task is extracted in normal tasks execution track mould The execution frequency in each section in type forms the corresponding normal tasks of the task and executes frequency vector.
Step 6, for each task, frequency vector sum normal tasks is executed to the corresponding abnormal task of the task and execute frequency Number vector carries out double sample T inspection, and exporting the task is normal tasks or abnormal task, and all abnormal tasks can be obtained.
Specifically, in another embodiment, the execution task track construction method in step 2, includes the following steps:
Using timestamp information, record is executed to abnormal task according to the time window being sized and carries out interval division, is obtained To multiple sections;For each section, the execution frequency of each task in the section, the execution frequency shape of all tasks are counted At the corresponding section frequency vector in the section;The corresponding section in all sections executes frequency vector and forms abnormal task execution track Model;
Using timestamp information, record is executed to normal tasks according to the time window being sized and carries out interval division, is obtained To multiple sections;For each section, the execution frequency of each task in the section, the execution frequency shape of all tasks are counted At the corresponding section frequency vector in the section;The corresponding section in all sections executes frequency vector and forms normal tasks execution track Model.
Embodiment
The TelosB node that experiment runs TestDissemination (TinyOS application program) by 4 forms, setting section The communication radius of point is 50 meters.
One for this example has node network topology of the version of system defect in normal execute as shown in Figure 1. Wherein No. 1 node is distribution node, periodically sends data to its child node, and No. 2 nodes directly communicates with No. 1 node, and No. 3 with No. 4 nodes can only realize the communication with No. 1 node by No. 2 nodes.
In order to test process performing of No. 2 nodes after losing distribution node, two test cases, two tests are devised The simulation time of use-case is all 1 hour.Test case 1 is that No. 1 is deleted when program runs 45min after repairing fault code Node terminates after operation 1 hour, herein it is assumed that program can guarantee to operate normally after having repaired defect code.Test Use-case 2 then uses fault code, and No. 1 node is equally deleted in 45min, terminates after program is run 1 hour.Experiment uses Information records when COOJA simulator is to the operations of No. 2 nodes.
The experience table in test case 1 and test case 2 in No. 2 nodes is extracted, constructs task execution rail respectively Mark model.One category support vector machines model of model training is estimated using the task execution of test case 1, by test case 2 Task execution locus model is input in a category support vector machines model, the available section executed extremely.Such as 1 institute of table Show, for according to different time windows, to task execution locus model carry out abnormal section detection as a result, binding time window The Base Serial Number in size and abnormal section, can calculate the period occurred extremely, can verify a classification branch by calculating Holding vector machine model can detecte out the period occurred extremely.
The abnormal section testing result of 1 node of table 2
When by the test case 1 of No. 2 nodes and the corresponding task execution sequence of test case 2 according to the starting occurred extremely It carves and carries out cutting, the test case 1 and the corresponding task execution sequence of test case 2 after only exception occurs are according to specified time Window divides, and constructs task execution locus model respectively.The execution frequency to each task when normal and abnormal is examined using T T inspection is carried out, refusal null hypothesis then shows that exception has occurred in the task execution.It is by the abnormal task that T is examined 0x000a(VirtualizeTimerC__0__updateFromTimer)。
By the way that after deleting distribution node, the task execution of test case 1 and test case 2 is sent out known to verifying Variation.Test case 1 only has task 0x0009 (AlarmToTimerC__0__ after deleting No. 1 node in No. 2 nodes Fired) executed with task 0x000a, and test case 2 is deleting 10 minutes after No. 1 node in, execute 0x0009 and 0x000a, the execution frequency of task 0x000a sharply increases later.Illustrate that exception has occurred in the execution of task 0x000a really.

Claims (2)

1. a kind of sensing node method for detecting abnormality of task based access control execution track model, this method is for obtaining in sensing node Source code in abnormal task, which is characterized in that include the following steps:
Step 1, the experience table for extracting running in abnormal source code and normal source code for task respectively, remembers respectively Record is executed for abnormal task and normal tasks execute record;Experience table includes timestamp information and task ID;
Step 2:It is based respectively on abnormal task execution record and normal tasks executes record, utilize and execute task track building side Method constructs abnormal task execution track model and normal tasks execution track model;
Step 3:OCSVM disaggregated model is obtained by the method training of feature extraction using normal tasks execution track model;
Step 4, by abnormal task execution track mode input into OCSVM disaggregated model, an abnormal section, the exception are exported Section includes multiple sections;
Step 5, for each task, execution frequency of the task in each section in abnormal section is extracted, forms this Be engaged in corresponding abnormal task executes frequency vector;For each task, the task is extracted in normal tasks execution track model Each section in execution frequency, form the corresponding normal tasks of the task and execute frequency vector;
Step 6, for each task, to the corresponding abnormal task of the task execute frequency vector sum normal tasks execute frequency to Amount carries out double sample T inspection, and exporting the task is normal tasks or abnormal task, and all abnormal tasks can be obtained.
2. the sensing node method for detecting abnormality of task based access control execution track model as described in claim 1, feature exist In execution task track construction method in the step 2 includes the following steps:
Using timestamp information, record is executed to abnormal task according to the time window being sized and carries out interval division, is obtained more A section;For each section, the execution frequency of each task in the section is counted, the execution frequency of all tasks is formed should The corresponding section frequency vector in section;The corresponding section in all sections executes frequency vector and forms abnormal task execution track mould Type;
Using timestamp information, record is executed to normal tasks according to the time window being sized and carries out interval division, is obtained more A section;For each section, the execution frequency of each task in the section is counted, the execution frequency of all tasks is formed should The corresponding section frequency vector in section;The corresponding section in all sections executes frequency vector and forms normal tasks execution track mould Type.
CN201810548226.3A 2018-05-31 2018-05-31 Sensing node abnormity detection method based on task execution trajectory model Expired - Fee Related CN108920356B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810548226.3A CN108920356B (en) 2018-05-31 2018-05-31 Sensing node abnormity detection method based on task execution trajectory model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810548226.3A CN108920356B (en) 2018-05-31 2018-05-31 Sensing node abnormity detection method based on task execution trajectory model

Publications (2)

Publication Number Publication Date
CN108920356A true CN108920356A (en) 2018-11-30
CN108920356B CN108920356B (en) 2021-07-27

Family

ID=64410603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810548226.3A Expired - Fee Related CN108920356B (en) 2018-05-31 2018-05-31 Sensing node abnormity detection method based on task execution trajectory model

Country Status (1)

Country Link
CN (1) CN108920356B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867486A (en) * 2010-06-08 2010-10-20 江苏大学 Wireless sensor network fault diagnosis method
CN101907088A (en) * 2010-05-27 2010-12-08 中国人民解放军国防科学技术大学 Fault diagnosis method based on one-class support vector machines
US20140355454A1 (en) * 2011-09-02 2014-12-04 Telcordia Technologies, Inc. Communication Node Operable to Estimate Faults in an Ad Hoc Network and Method of Performing the Same
US20150199466A1 (en) * 2014-01-10 2015-07-16 International Business Machines Corporation Automatic test pattern generation (atpg) considering crosstalk effects
CN106209893A (en) * 2016-07-27 2016-12-07 中国人民解放军信息工程大学 The inside threat detecting system excavated based on business process model and detection method thereof
CN107229849A (en) * 2016-03-24 2017-10-03 全球能源互联网研究院 Towards the database user behavior safety auditing method on power information intranet and extranet border
CN107947972A (en) * 2017-11-16 2018-04-20 长安大学 A kind of sensing node abnormal operating condition detection method and detection device
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101907088A (en) * 2010-05-27 2010-12-08 中国人民解放军国防科学技术大学 Fault diagnosis method based on one-class support vector machines
CN101867486A (en) * 2010-06-08 2010-10-20 江苏大学 Wireless sensor network fault diagnosis method
US20140355454A1 (en) * 2011-09-02 2014-12-04 Telcordia Technologies, Inc. Communication Node Operable to Estimate Faults in an Ad Hoc Network and Method of Performing the Same
US20150199466A1 (en) * 2014-01-10 2015-07-16 International Business Machines Corporation Automatic test pattern generation (atpg) considering crosstalk effects
CN107229849A (en) * 2016-03-24 2017-10-03 全球能源互联网研究院 Towards the database user behavior safety auditing method on power information intranet and extranet border
CN106209893A (en) * 2016-07-27 2016-12-07 中国人民解放军信息工程大学 The inside threat detecting system excavated based on business process model and detection method thereof
CN107947972A (en) * 2017-11-16 2018-04-20 长安大学 A kind of sensing node abnormal operating condition detection method and detection device
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
VAN VUONG TRINH 等: "Data driven hyperparameter optimization of one-class support vector machines for anomaly detection in wireless sensor networks", 《2017 INTERNATIONAL CONFERENCE ON ADVANCED TECHNOLOGIES FOR COMMUNICATIONS (ATC)》 *
YANGFAN ZHOU 等: "Sentomist: Unveiling Transient Sensor Network Bugs via Symptom Mining", 《2010 IEEE 30TH INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING SYSTEMS》 *
李琳: "基于OCSVM的工业控制系统入侵检测算法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
王涛 等: "无线自组织网络中多层综合的节点行为异常检测方法", 《计算机科学》 *
费欢 等: "基于K-means聚类的WSN异常数据检测算法", 《计算机工程》 *
马峻岩 等: "基于异常任务运行记录的WSN故障检测", 《计算机工程》 *
鲍苏宁: "基于核方法的轨迹异常检测", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Also Published As

Publication number Publication date
CN108920356B (en) 2021-07-27

Similar Documents

Publication Publication Date Title
CN104050075B (en) The method of testing and device of Andriod application programs
Bhuiyan et al. Dependable structural health monitoring using wireless sensor networks
CN107947972B (en) Detection method and detection device for sensing abnormal operation state of node
CN112799898B (en) Interconnection system fault node positioning method and system based on distributed fault detection
CN104978262A (en) Terminal test method and terminal test device
CN111174370A (en) Fault detection method and device, storage medium and electronic device
CN105740149A (en) Software security detection method based on combination of vulnerability model and symbolic execution
CN102096410A (en) Dynamic function test method of high-speed train operation control system
CN108683564A (en) A kind of network (WSN) emulation system credibility evaluation method based on Multidimensional decision-making attribute
CN103092762B (en) A kind of real-time software defect detection method being applicable to rapid software development model
CN110489317A (en) Cloud system task run method for diagnosing faults and system based on workflow
CN113163011A (en) Method, system, device and storage medium for modifying data in block chain
CN103198016A (en) Software error positioning method based on joint dependent probability modeling
CN103391224A (en) Protocol layering test generation method based on parallel expansion finite-state machine
CN105721209A (en) Fault detection method for noisy network
CN105577432A (en) Network packet loss probability prediction method based on correlation analysis
CN105528296B (en) A kind of class cluster test method of object-oriented software
CN108920356A (en) A kind of sensing node method for detecting abnormality of task based access control execution track model
CN102789417B (en) Program detecting system and method based on directional symbol execution on mobile intelligent terminal
CN109032918A (en) A kind of sensing node program exception diagnostic method based on abnormal task function trace
CN102567162B (en) A kind of physical layer system demo plant based on DSP core and method
CN107517474B (en) Network analysis optimization method and device
CN103150254B (en) Error locating method for software based on state-dependent probabilistic modeling
CN105789081B (en) A kind of system and method for accelerating WAT tests
CN109302322B (en) Test system and method for improving test accuracy of nuclear security level network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210727

CF01 Termination of patent right due to non-payment of annual fee