CN109547504A - A kind of mobile sensor network intrusion detection and automated response method - Google Patents

A kind of mobile sensor network intrusion detection and automated response method Download PDF

Info

Publication number
CN109547504A
CN109547504A CN201910075324.4A CN201910075324A CN109547504A CN 109547504 A CN109547504 A CN 109547504A CN 201910075324 A CN201910075324 A CN 201910075324A CN 109547504 A CN109547504 A CN 109547504A
Authority
CN
China
Prior art keywords
network
attack
intrusion
matrix
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910075324.4A
Other languages
Chinese (zh)
Other versions
CN109547504B (en
Inventor
秦丹阳
赵敏
徐广超
马宏斌
王英丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heilongjiang University
Original Assignee
Heilongjiang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heilongjiang University filed Critical Heilongjiang University
Priority to CN201910075324.4A priority Critical patent/CN109547504B/en
Publication of CN109547504A publication Critical patent/CN109547504A/en
Application granted granted Critical
Publication of CN109547504B publication Critical patent/CN109547504B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of mobile sensor network intrusion detection and automated response method, the present invention relates to mobile sensor network intrusion detections and adaptive response method.The purpose of the present invention is to solve the existing Network Intrusions to mobile sensor network to often focus on the targeting detection to a certain kind attack, and defence method also has specific directive property, can not solve the problems, such as network uncertainty Network Intrusion.Process are as follows: one, network is monitored and collects data;Two, the data being collected into are handled, by treated, data are stored in initial configuration file;Three, management node is using the parameter in network characterization matrix, using based on the invasion in abnormal intrusion detection method identification network;Four, decision table is established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response.The present invention is used for the safety protection field of mobile sensor network.

Description

A kind of mobile sensor network intrusion detection and automated response method
Technical field
The present invention relates to the safety protection fields of mobile sensor network, and in particular to mobile sensor network intrusion detection With adaptive response method.
Background technique
The network morphology with dynamic topological structure that mobile sensor network is made of mobility terminal, is widely applied In military or civilian various fields.Whether the sensitive information transmission in military domain or the secret letter in civil field Breath processing, mobile sensor network lack the features such as centralized control, dynamic topological structure and energy constraint and network layer are subject to By various attacks, such as black hole attack, gray holes, extensive aggression and rapidly attack etc..Bring very big safety hidden to user Suffer from.Therefore, mobile sensor network must be resolved in the threat that secure context is subject to.If during communication, only It is the purpose for being extremely difficult to protect information completely by encryption technology and authentication techniques.Therefore, in order to guarantee higher safety, It is essential that system of defense is disposed on the key node of network system.Compared with firewall, intruding detection system is one The defense technique of kind active, it compensates for some shortcomings of firewall technology.Intruding detection system can be acquired initiatively in real time Then information in network or system carries out analysis and judgement to these information, if having shown that these information violate correlation Safety regulation conclusion, then detection system can be alarmed and be responded to intrusion behavior, to achieve the purpose that protection. However, the existing research of most of Network Intrusions for mobile sensor network at present is often focused on to a certain kind attack The case where targeting detection, defence method also has specific directive property, can not solve network uncertainty Network Intrusion.
Summary of the invention
The purpose of the present invention is to solve the existing Network Intrusions to mobile sensor network to often focus on to a certain The targeting detection of kind attack, defence method also have specific directive property, can not solve the problems, such as network uncertainty Network Intrusion, And propose a kind of mobile sensor network intrusion detection and automated response method.
A kind of mobile sensor network intrusion detection and automated response method detailed process are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal invasion Detection method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value and network performance degradation values;According to attack trust angle value and Network performance degradation values establish adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade Decision table is established with adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response.
The invention has the benefit that
The present invention proposes a kind of reliable and effective mobile sensor network intrusion detection and automated response mechanism (IDARM).The core IDARM is adaptive intrusion response mechanism, main task: firstly, management node is believed according to detection Breath and charge information calculate attack and trust angle value.Then, the parameter in utility matrix calculates network performance degradation values, thus Evaluate the severity of attack.Finally, selecting suitable respondent behavior, effective intrusion response is realized.IDARM solves existing Have to often focus on the Network Intrusion of mobile sensor network and the targeting of a certain kind attack is detected, defence method also has clear Directive property, can not solve the problems, such as network uncertainty Network Intrusion.
Fig. 4 to fig. 6 illustrates success rate and wrong report of the IDARM in extensive aggression, black hole and grey hole and rapidly in attack Rate.It is to execute 40 times not invade in 25,50 or 100 nodes in each network size using test node average speed Operation has the operation of invader for 40 times.Data result shows that IDARM has high success rate and low rate of false alarm in these attacks.
The assessment of IDARM selection intrusion response behavior:
Fig. 7 and Fig. 8 illustrates the case where IDARM selects the behavior of intrusion response system in black hole attack, the results show that for black Hole attack, IDARM is average to be selected completely isolated to respond invasion in the case where 90%.
Fig. 9 illustrates the case where IDARM selects the behavior of intrusion response system in extensive aggression, the results showed that IDARM averagely exists Selection isolation invasion node generally speaking shows the appropriateness of housing choice behavior, and IDARM is to section in the case where 78% Points be more than 100 larger network with good retractility.
Figure 10 illustrates the case where IDARM selection intrusion response system behavior in rapidly attack.Display is directed to and rapidly attacks in figure It hits for this attack, IDARM majority of case all selects not punishing invasion node.This is because rapidly attacking to network The influence of performance is usually very low, it is contemplated that takes stringent quarantine measures when attacking small, actually will lead to internetworking The degeneration of energy.Therefore, data result shows the flexibility and validity of IDARM.
Influence of the IDARM to network performance:
The figure of Figure 11 and Figure 12 respectively illustrates in the network of 25 nodes and 50 nodes, and intrusion response mechanism has Effect property.It performs 30 attacks respectively in the network of 25 and 50 nodes: when being not responding to invasion, executing 10 attacks, when When responding fixing response (isolation invader) in all cases, 10 attacks are executed, when using adaptive intrusion response When, execute 10 attacks.Statistics indicate that averaging network performance degradation value is minimum when using automated response mechanism.Adaptively Response mechanism not only in all attacks, minimizes the negative effect of network performance, and in some slight attacks (as suddenly Speed attack or some gray holes) in, which has been significantly reduced the degeneration of network performance.
Detailed description of the invention
Fig. 1 is the architectural model figure of IDARM;
Fig. 2 is the architectural model figure of adaptive intrusion response method;
Fig. 3 is in the test sliding window of p=5, and P is in the case where different value, PcWith the curve of the value situation of change of d Figure;
Fig. 4 is the success rate and rate of false alarm curve graph in extensive aggression;
Fig. 5 is the success rate and rate of false alarm curve graph in black hole and grey hole;
Fig. 6 is the success rate and rate of false alarm curve graph in rapidly attack;
Fig. 7 is intrusion response action selection curve graph in black hole attack;
Fig. 8 is the intrusion response action selection curve graph in black hole attack in improved NP rank;
Fig. 9 is intrusion response action selection curve graph in extensive aggression;
Figure 10 is intrusion response action selection curve graph in rapidly attack;
Figure 11 is the validity curve graph that intrusion response is directed to various attacks in 25 meshed networks;
Figure 12 is the validity curve graph that intrusion response is directed to various attacks in 50 meshed networks.
Specific embodiment
Specific embodiment 1: a kind of mobile sensor network intrusion detection of present embodiment and automated response method have Body process are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file (ITP) In;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal invasion Detection method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value (ACV) and network performance degradation values (NP);Believed according to attack Angle value (ACV) and network performance degradation values (NP) is appointed to establish adaptive intrusion response behavior list;Based on attack degree of belief rank, Decision table is established in network performance deteriorated Grade and adaptive intrusion response behavior list, according to the decision table of foundation, selection invasion Response.Such as Fig. 2;
Firstly, management node is according to detection information and accuses that information calculates attack and trusts angle value;Then, utility matrix In parameter calculate network performance degradation values, thus measure the severity of attack;Finally, suitable respondent behavior is selected, Realize effective intrusion response;
Wherein, the selection of respondent behavior will be executed according to decision table;Decision table is according to attack degree of belief rank, network Respondent behavior appropriateness, the selection criteria of Lai Dingyi intrusion response behavior are invaded under performance degradation rank, current environment.
The principle and process of present embodiment is specifically described below, it should be noted that it is considered herein that by appropriate Matrix selection, adaptive guard mechanism are also effectively applied to the attack of physical layer and data link layer.
And assume the initial behavior of network without abnormal.And concentrating type mobile network organizational form is introduced under study for action, All network nodes therein are different according to its function and are divided into three roles of management node, cluster head and clustered node Middle operation.
A kind of mobile sensor network intrusion detection and automated response mechanism, the knowledge base mould of abbreviation IDARM, IDARM Type are as follows:
Specific embodiment 2: the present embodiment is different from the first embodiment in that, to network in the step 1 It is monitored and collects data;Detailed process are as follows:
Fig. 1 is the architecture of IDARM, and wherein the first step is to carry out network monitor and data collection.IDARM is in order to whole Intrusion detection is realized in a Network morals and prevention and protection are provided, which can periodically collect data in a network To realize the monitoring to whole network.
It collects data and refers to that after each interval cluster head is collected from their Virtual Cluster from clustered node Data;These data can be stored in a matrix type in network characterization matrix and performance matrix;
Cluster head reports network characterization matrix and performance matrix to management node;
Wherein network characterization matrix is by routing reply, route requests, routing error, lifetime value, route requests source sequence 7 column, routing reply aim sequence and route requests aim sequence parameter compositions;(detection directly has data);
Network characterization matrix is the two-dimensional matrix of one (r × c), and r is line number, and c is columns;Line number is 7, the first row storage Routing reply sequence, the second row store route requests sequence, and the third line stores routing error sequence, and fourth line stores life span Value sequence, fifth line store route requests source sequence, and the 6th row stores routing reply aim sequence, and the 7th row stores route requests Aim sequence, because this journey represents different parameters, the length of the data content that column representation parameter includes, each column depends on different parameters Data length, by supplementing every a line for isometric sequence in sequence ending zero padding;
Therefore, its storage organization is dynamically distributed by adaptive guard mechanism monitors device.
Network characterization matrix=[routing reply, route requests, routing error, lifetime value, route requests source sequence, Routing reply aim sequence, route requests aim sequence]
Performance matrix is by routing protocol overhead, data packet transfer ratio, loss control 4 parameter groups of packet quantity and handling capacity At;Performance matrix parameter needs are calculated according to 7 parameters of network characterization matrix;
Performance matrix=[routing protocol overhead, data packet transfer ratio lose control packet quantity, handling capacity] (is normal One-dimensional matrix);
In performance matrix, routing protocol overhead refers to the data packet number that destination node is sent in network and entire mistake The ratio of required total data packet in journey;
Data packet transfer ratio be the data packet that destination node receives quantity and the initial data packet number of source node it Than;
The quantity that control packet quantity is the routing data packet lost in routing procedure is lost, routing procedure includes in network Route discovery and route maintenance procedure;
The last one parameter of performance matrix is handling capacity, i.e., the quantity of successful data transmission in the unit time;Here generation Table network average throughput.
Other steps and parameter are same as the specific embodiment one.
Specific embodiment 3: the present embodiment is different from the first and the second embodiment in that, it is right in the step 2 The data being collected into are handled, and by treated, data are stored in initial configuration file (ITP);Detailed process are as follows:
Cluster head constantly collects the data from clustered node from their Virtual Cluster;These data can be with matrix Form be stored in network characterization matrix and performance matrix;Cluster head can be spaced interior by network characterization square at a fixed time Battle array and performance matrix are reported to management node;
The desired value of network characterization matrix byIt indicates,It is one group and represents network characterization square The stochastic variable of battle array;
Wherein a indicates a-th of time interval, and b indicates b-th of parameter of network characterization matrix, and c represents network characterization matrix the The quantity of stochastic variable in b parameter, 1≤c≤M, M are b-th of parameters of the network eigenmatrix in a-th of time interval The maximum value of stochastic variable;
The desired value of performance matrix byIt indicates;
Management node calculates the desired value of the probability distribution of network eigenmatrix in a-th of time interval
The performance matrix parameter in a-th of time interval, i.e. Routing Protocol are calculated according to 7 parameters of network characterization matrix Expense, loses control packet quantity and handling capacity at data packet transfer ratio;
Management node calculates the desired value of the probability distribution of performance matrix in a-th of time interval
1≤a≤N;
Management node calculates separately the average value of N number of time interval network characterization matrix and performance matrix, then, average Value is stored in the initial configuration file (ITP) of a network characterization matrix and performance matrix.
These initial training configuration files reflect the normal behaviour and network performance of nodes.
By network characterization matrixPerformance matrixAs desired value.
Other steps and parameter are the same as one or two specific embodiments.
Specific embodiment 4: unlike one of present embodiment and specific embodiment one to three, the step 3 In be based on step 2, management node is identified using the parameter in network characterization matrix using based on abnormal intrusion detection method Invasion in network;Detailed process are as follows:
The probability distribution for calculating each network characterization matrix parameter deposits the probability distribution of each network characterization matrix parameter Storage is observation;
Observation is got from network monitor and data collection, and network detection and data collection are in the entire network Constantly carry out.Early period when network is normal using the data of collection as desired value, in order to be compared later;Do not know at this time Network is just abnormal, and the data being collected at this time are just observation.
Management node is in a-th of time interval to each parameter b null hypothesis H of the network characterization matrix of observation0 [b] executes hypothesis testing (observation of network characterization matrix meets desired value), i.e. calculating formula (1);
In formula, X2[b] is Chi-square Test value,For the observation of network characterization matrix;
Management node carries out joint hypothesis inspection in a-th of time interval to all parameters of network characterization matrix;
If joint null hypothesis H0(observation of each parameter of network characterization matrix meets desired value) is rejected, it is assumed that It is invaded in a-th of time interval, executes step 4 (then entering next stage);
If joint null hypothesis H0Received, it is assumed that there is no invasions in a-th of time interval, then update and initially match It sets file (ITP), initial configuration file reflects the current behavior of network (by initial configuration file it is known that current network It is whether normal).
Other steps and parameter are identical as one of specific embodiment one to three.
Specific embodiment 5: unlike one of present embodiment and specific embodiment one to four, the step 4 In based on step 3 calculate attack trust angle value (ACV) and network performance degeneration (NP) value;According to attack trust angle value (ACV) and Network performance degradation values (NP) establish adaptive intrusion response behavior list;It is degenerated based on attack degree of belief rank, network performance Decision table is established in rank and adaptive intrusion response behavior list, according to the decision table of foundation, selects intrusion response;Such as Fig. 2;Tool Body process are as follows:
Firstly, management node is according to detection information and accuses that information calculates attack and trusts angle value;Then, utility matrix In parameter network performance degradation values are calculated, thus measure the severity of attack;Finally, the suitable response of selection Effective intrusion response is realized in behavior;
Wherein, the selection of respondent behavior will be executed according to decision table;Decision table is according to attack degree of belief rank, network Respondent behavior appropriateness, the selection criteria of Lai Dingyi intrusion response behavior are invaded under performance degradation rank, current environment.
Step 4 one calculates attack trust angle value (ACV) and network performance degeneration (NP) value;
Step 4 two, (NP) value of being degenerated according to attack trust angle value (ACV) and network performance establish adaptive intrusion response Behavior list;
Step 4 three is based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list Decision table is established, according to the decision table of foundation, selects intrusion response.
The principle and process of present embodiment is specifically described below, it should be noted that it is considered herein that by appropriate Matrix selection, adaptive guard mechanism are also effectively applied to the attack of physical layer and data link layer.
And assume the initial behavior of network without abnormal.And concentrating type mobile network organizational form is introduced under study for action, All network nodes therein are different according to its function and are divided into three roles of management node, cluster head and clustered node Middle operation.
Other steps and parameter are identical as one of specific embodiment one to four.
Specific embodiment 6: unlike one of present embodiment and specific embodiment one to five, the step 4 Attack is calculated in one trusts angle value (ACV) and network performance degeneration (NP) value;Detailed process are as follows:
From figure 3, it can be seen that correct one node of identification is the probability of invader as P=80% and d=1,2 or 3 More than 90%.However, avoiding wrong report also critically important, for example, if correctly identifying that a node is invader when P=20% Probability can be relatively low.
In current test sliding window, for all nodes for being identified as invader, management node executes adaptive Answer intrusion response mechanism.According to detection information and accuse information, management node calculates attack and trusts angle value (ACV):
ACV=w1·CI+w2·Pc (2)
In formula, w1It is the confidence interval of Chi-square statistic in the intrusion detection stage, w for weight factor, weight and equal to 1, CI2 For weight factor, weight and equal to 1;PcIt is to confirm that node is the probability of invader;
Management node calculates network performance degradation values (NP):
This be when no under attack to current value when, performance matrix parameter value (i.e. handling capacity, data packet transfer ratio, Routing protocol overhead and lose control packet quantity) variation weighted sum.
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
In formula, Δ Throughput is handling capacity changing value;Δ PTR is data packet transfer ratio changing value;Δ RPO is routing Protocol overhead changing value;Δ CPD is to lose control packet quantity changing value;w3For weight factor, weight and equal to 1;w4For weight because Son, weight and be equal to 1.
Table 1 defines 4 attack degree of belief ranks, i.e., basic, normal, high or very high.
The mapping table of table 1 ACV value and ACV rank
Other steps and parameter are identical as one of specific embodiment one to five.
Specific embodiment 7: unlike one of present embodiment and specific embodiment one to six, the step 4 Angle value (ACV) is trusted according to attack in two and network performance degradation values (NP) establish adaptive intrusion response behavior list;Specifically Process are as follows:
The adaptive intrusion response behavior list of selection includes:
In the literature in possible intrusion response behavior list, behavior may be generated network performance unfavorable according to response The size of influence judges the appropriateness of respondent behavior.It is made in addition, also further analyzing these response activities in reduction attack At injury, and prevent from invasion node further attack validity.Finally, based on to the attack detected The influence of confidence level and attack to network performance, proposes the response mechanism there are three types of intrusion response behavior.This group selection enters Respondent behavior is invaded to be listed as follows:
1, completely isolated: to trust angle value when the attack detected and be greater than 70%, and network performance degradation values are greater than 30%;And And when network performance will reduce after attack starting, this respondent behavior is used.It is invaded by isolation, it is other in network Node, which will be considered as invader, to be not present.Although this will will lead to rerouting, it still significantly improves whole network Performance.
2, attacker is bypassed: when angle value≤70%, and 10%≤network performance degradation values are trusted in 25% detected < attack ≤ 30%, it is bypassed then response mechanism just will use attacker.This be both able to maintain the data forwarding service in network it is normal into Row, while the further attack of invader can also be prevented.
3, it does not punish: when angle value≤25%, and 0%≤network performance degradation values are trusted in 0% detected < attack The response mechanism of < %10, this paper will simply ignore attack.This avoids the negative effects to network performance.
Other steps and parameter are identical as one of specific embodiment one to six.
Specific embodiment 8: unlike one of present embodiment and specific embodiment one to seven, the step 4 Decision table, root are established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list in three According to the decision table of foundation, intrusion response is selected;Detailed process are as follows:
Using the attack degree of belief rank and network performance deteriorated Grade formulated above in decision table, with table 2 (by network The knowledge base of administrator's building) select intrusion response.It is selected by decision table simulation intrusion response, network administrator is allowed to match Set and modify the intrusion response selection course of different network environments.
2 IDARM decision table of table
M indicates medium, and H indicates high, and L indicates low, and H+ indicates very high;
Establish decision table:
Degree of belief rank is attacked in first behavior, and attack degree of belief rank is divided into 4 grades, is respectively as follows:
Low: angle value≤25% is trusted in 0% < attack;
Medium: angle value≤50% is trusted in 25% < attack;
High: angle value≤70% is trusted in 50% < attack;
Very high: angle value > 70% is trusted in attack;
Second behavior network performance deteriorated Grade, network performance deteriorated Grade are divided into 4 grades, are respectively as follows:
It is low: 0% < network performance degradation values≤10%;
It is medium: 10% < network performance degradation values≤20%;
It is high: 20% < network performance degradation values≤30%;
It is very high: network performance degradation values > 30%;
Third behavior is completely isolated;
Fourth line is around attacker;
Fifth line is not punish;
According to the decision table of foundation, intrusion response is selected;
If the intrusion response of selection is entirely isolated or around attacker, management node passes through one charge packet of broadcast Notice has all nodes of intrusion response behavior;When node receives charge packet, node is with first checking for accusing the broadcast of packet Location and source address, if the invader V that the charge packet is accusedjIt is permanently or temporarily piped off, then node will neglect The charge packet is omited and deletes, to prevent unnecessary network flow;Otherwise, node will check charge Bao Zhongwei invader VjRefer to Fixed intrusion response behavior;
1) if the intrusion response selected is not punish, management node can ignore invasion;
If 2) intrusion response behavior is entirely isolated, node is first invader VjIncrease to its blacklist list In, invader V is then isolated in all nodes of networkj, and data packet all in blacklist node is deleted immediately, and is neglected Data packet slightly in blacklist node in all queues;
3) if intrusion response behavior is to bypass attacker, node is first invader VjIt is added to its interim blacklist In table;In order to realize this intrusion response behavior, routing data packet will all be ignored and be deleted to all nodes, route data packet packet Include routing inquiry, routing reply and invasion node VjThe data packet for generating or forwarding, to prevent invader from further attacking;
All nodes are all by invader VjIt excludes outside new route discovery, that is to say, that they select not including VjRoad Diameter;
Meanwhile node is from VjThe data packet received is transmitted to existing route, to safeguard current data forwarding service, Node receives to come from VjData forwarding service to reduce the adverse effect to network performance a possibility that, until node is in VjWeek It encloses and finds new routing.
The respondent behavior is also applied for as node VjPosition or isolation node V in network topology in key nodej The case where significant negative effect may being generated to network performance.
Other steps and parameter are identical as one of specific embodiment one to seven.
Specific embodiment 9: unlike one of present embodiment and specific embodiment one to eight, it is described (specific real Apply in mode six) confirm that node is the probability P of invadercFinding process are as follows:
In order to improve the probability (using low-level wrong report) of correct identification invader, management node has used a survey Try sliding window;Therefore, when determining certain node all in multiple time intervals only to invade node, IDARM just can be to invasion It makes a response.Specifically, only all determining certain node for invasion section in the test sliding window of multiple time interval p sizes When point, intrusion response can just occur;P is the size for indicating test sliding window in a time interval, i.e. inspection number, and d is true Recognizing the node detected is the minimum number detected needed for attacker;In the detection that one is tested in sliding window to invasion node It is a Bernoulli trials.(that is, the test carried out in test sliding window is that identical and independent repetition is real Test, there are two types of possible results: whether detection or not) therefore, determine that the probability of invasion is known in sequence of Bernoulli trials 's;
In formula, P is the size for indicating test sliding window in a time interval, i.e. inspection number;D confirmation detects Node is the minimum number detected needed for attacker;It is binomial coefficient, PcIt is to confirm that node is invader Probability.
Other steps and parameter are identical as one of specific embodiment one to eight.
Specific embodiment 10: unlike one of present embodiment and specific embodiment one to nine, it is described (specific real Apply in mode four) update initial configuration file (ITP) process are as follows:
The initial configuration file (ITP) of network characterization matrix is updated by exponentially weighted moveing average;
Each time interval is divided into q period;
In formula,WithRespectively represent the desired value of the network characterization matrix parameter b when update cycle number is q And observation;
Q value is increased in a time interval;
β is weight factor, β=2/q-1;
Therefore, the expected current behavior for supporting file model to reflect network of update.
Other steps and parameter are identical as one of specific embodiment one to nine.
Beneficial effects of the present invention are verified using following embodiment:
Embodiment one:
The present embodiment is specifically to be prepared according to the following steps:
The protrusion effect of the present invention compared with the prior art can be specifically described according to Fig. 4 to Figure 12:
The evaluation criterion of attack recognition:
Fig. 4 to fig. 6 illustrates success rate and wrong report of the IDARM in extensive aggression, black hole and grey hole and rapidly in attack Rate.It is to execute 40 times not invade in 25,50 or 100 nodes in each network size using test node average speed Operation has the operation of invasion for 40 times.Data result shows that IDARM has high success rate and low rate of false alarm in these attacks.
The assessment of IDARM selection intrusion response behavior:
Fig. 7 and Fig. 8 illustrates the case where IDARM selects the behavior of intrusion response system in black hole attack.Wherein Fig. 8, which has been used, changes Into network performance deteriorated Grade setting.After a random invasion node starting black hole attack, the performance of IDARM is tested. The results show that being directed to black hole attack, IDARM selects isolation to respond to invasion in the case where 90%.
Fig. 9 illustrates the case where IDARM selects the behavior of intrusion response system in extensive aggression.We use in black hole attack The method used has used improved network performance deteriorated Grade to be arranged.It is selected in the case where 78% the result shows that IDARM is average Select isolation invasion node and generally speaking show the appropriateness of housing choice behavior, and IDARM super to number of nodes more 100 compared with Big network has good retractility.
Figure 10 illustrates the case where IDARM selection intrusion response system behavior in rapidly attack.Display is directed to and rapidly attacks in figure It hits for this attack, IDARM majority of case all selects not punishing invasion node.This is because rapidly attacking to network The influence of performance is usually very low, it is contemplated that takes stringent quarantine measures when attacking small, actually will lead to internetworking The degeneration of energy.Therefore, data result shows the flexibility and validity of IDARM.
Influence of the IDARM to network performance:
The figure of Figure 11 and Figure 12 respectively illustrates in the network of 25 nodes and 50 nodes, and intrusion response mechanism has Effect property.It performs 30 attacks respectively in the network of 25 and 50 nodes: when being not responding to invasion, executing 10 attacks, when When responding fixing response (isolation invader) in all cases, 10 attacks are executed, when using adaptive intrusion response When, execute 10 attacks.Statistics indicate that averaging network degree of degeneration is minimum when using automated response mechanism.It is adaptive to ring It answers mechanism not only in all attacks, minimizes the negative effect of network performance, and in some slight attacks (as rapidly Attack or some gray holes) in, which has been significantly reduced the degeneration of network performance.
With now, there are two types of compared with typical technology:
Figure 11, Figure 12, table 3 respectively illustrate the intrusion detection of IDARM and broad sense and entering for defense mechanism and cost sensitivity Invade the comparison of response model.Data show that IDARM has better effect in enhancing this link of network performance.
The comparison of table 3 cost sensitivity model and IDARM
The present invention can also have other various embodiments, without deviating from the spirit and substance of the present invention, this field Technical staff makes various corresponding changes and modifications in accordance with the present invention, but these corresponding changes and modifications all should belong to The protection scope of the appended claims of the present invention.

Claims (10)

1. a kind of mobile sensor network intrusion detection and automated response method, it is characterised in that: the method detailed process Are as follows:
Step 1: being monitored to network and collecting data;
Step 2: handling the data being collected into, by treated, data are stored in initial configuration file;
Step 3: being based on step 2, management node is using the parameter in network characterization matrix, using based on abnormal intrusion detection Method identifies the invasion in network;
Step 4: calculating attack based on step 3 trusts angle value and network performance degradation values;Angle value and network are trusted according to attack Performance degradation value establishes adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade and from It adapts to intrusion response behavior list and establishes decision table, according to the decision table of foundation, select intrusion response.
2. a kind of mobile sensor network intrusion detection and automated response method according to claim 1, it is characterised in that: Network is monitored in the step 1 and collects data;Detailed process are as follows:
It collects data and refers to that after each interval cluster head collects the data from clustered node from Virtual Cluster;Data It can be stored in a matrix type in network characterization matrix and performance matrix;
Cluster head reports network characterization matrix and performance matrix to management node;
Wherein network characterization matrix is by routing reply, route requests, routing error, lifetime value, route requests source sequence, road It is made of 7 parameters of reply aim sequence and route requests aim sequence;
Network characterization matrix=[routing reply, route requests, routing error, lifetime value, route requests source sequence, routing Reply aim sequence, route requests aim sequence]
Performance matrix is made of routing protocol overhead, data packet transfer ratio, loss control 4 parameters of packet quantity and handling capacity;
Performance matrix=[routing protocol overhead, data packet transfer ratio lose control packet quantity, handling capacity].
3. a kind of mobile sensor network intrusion detection according to claim 1 or claim 2 and automated response method, feature exist In: the data being collected into are handled in the step 2, by treated, data are stored in initial configuration file;Specifically Process are as follows:
The desired value of network characterization matrix byIt indicates,Be one group represent network characterization matrix with Machine variable;
Wherein a indicates a-th of time interval, and b indicates b-th of parameter of network characterization matrix, and c represents network characterization matrix b-th The quantity of stochastic variable in parameter, 1≤c≤M, M be b-th of parameter of the network eigenmatrix in a-th of time interval with The maximum value of machine variable;
The desired value of performance matrix byIt indicates;
Management node calculates the desired value of the probability distribution of network eigenmatrix in a-th of time interval
The performance matrix parameter in a-th of time interval is calculated according to 7 parameters of network characterization matrix, i.e. Routing Protocol is opened Pin, loses control packet quantity and handling capacity at data packet transfer ratio;
Management node calculate in a-th of time interval the probability distribution of performance matrix desired value P (bYc a);
1≤a≤N;
Then the average value that management node calculates separately N number of time interval network characterization matrix and performance matrix is deposited average value Storage is in the initial configuration file of a network characterization matrix and performance matrix.
4. a kind of mobile sensor network intrusion detection and automated response method according to claim 3, it is characterised in that: Step 2 is based in the step 3, management node is examined using the parameter in network characterization matrix using based on abnormal invasion Survey method identifies the invasion in network;Detailed process are as follows:
The probability distribution of each network characterization matrix parameter is stored as by the probability distribution for calculating each network characterization matrix parameter Observation;
Management node is in a-th of time interval to each parameter b null hypothesis H of the network characterization matrix of observation0[b] is held Row hypothesis testing, i.e. calculating formula (1);
In formula, X2[b] is Chi-square Test value,For the observation of network characterization matrix;
Management node carries out joint hypothesis inspection in a-th of time interval to all parameters of network characterization matrix;
If joint null hypothesis H0It is rejected, it is assumed that invaded in a-th of time interval, execute step 4;
If joint null hypothesis H0Received, it is assumed that there is no invasions in a-th of time interval, then update initial configuration text Part.
5. a kind of mobile sensor network intrusion detection and automated response method according to claim 4, it is characterised in that: Attack is calculated based on step 3 in the step 4 and trusts angle value and network performance degradation values;Angle value and network are trusted according to attack Performance degradation value establishes adaptive intrusion response behavior list;Based on attack degree of belief rank, network performance deteriorated Grade and from It adapts to intrusion response behavior list and establishes decision table, according to the decision table of foundation, select intrusion response;Detailed process are as follows:
Step 4 one calculates attack trust angle value and network performance degradation values;
Step 4 two establishes adaptive intrusion response behavior list according to attack trust angle value and network performance degradation values;
Step 4 three is established based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list Decision table selects intrusion response according to the decision table of foundation.
6. a kind of mobile sensor network intrusion detection and automated response mechanism according to claim 5, it is characterised in that: Attack is calculated in the step 4 one trusts angle value and network performance degradation values;Detailed process are as follows:
Management node calculates attack and trusts angle value:
ACV=w1·CI+w2·Pc (2)
In formula, w1It is confidence interval, w for weight factor, weight and equal to 1, CI2For weight factor, weight and equal to 1;PcIt is true Recognize the probability that node is invader;
Management node calculates network performance degradation values:
NP=w1·ΔThroughput+w2·ΔPTR+w3·ΔRPO+w4·ΔCPD (3)
In formula, Δ Throughput is handling capacity changing value;Δ PTR is data packet transfer ratio changing value;Δ RPO is Routing Protocol Expense changing value;Δ CPD is to lose control packet quantity changing value;w3For weight factor, weight and equal to 1;w4For weight factor, Weight and be equal to 1.
7. a kind of mobile sensor network intrusion detection and automated response method according to claim 6, it is characterised in that: Angle value is trusted according to attack in the step 4 two and network performance degradation values establish adaptive intrusion response behavior list;Specifically Process are as follows:
The adaptive intrusion response behavior list of selection includes:
1, completely isolated: to trust angle value when the attack detected and be greater than 70%, and network performance degradation values are greater than 30%;
2, attacker is bypassed: when 25% detected < attack trust angle value≤70%, and 10%≤network performance degradation values≤ 30%;
3, it does not punish: when angle value≤25%, and 0%≤network performance degradation values < %10 are trusted in 0% detected < attack.
8. a kind of mobile sensor network intrusion detection and automated response method according to claim 7, it is characterised in that: It is established in the step 4 three based on attack degree of belief rank, network performance deteriorated Grade and adaptive intrusion response behavior list Decision table selects intrusion response according to the decision table of foundation;Detailed process are as follows:
Establish decision table:
Degree of belief rank is attacked in first behavior, and attack degree of belief rank is divided into 4 grades, is respectively as follows:
Low: angle value≤25% is trusted in 0% < attack;
Medium: angle value≤50% is trusted in 25% < attack;
High: angle value≤70% is trusted in 50% < attack;
Very high: angle value > 70% is trusted in attack;
Second behavior network performance deteriorated Grade, network performance deteriorated Grade are divided into 4 grades, are respectively as follows:
It is low: 0% < network performance degradation values≤10%;
It is medium: 10% < network performance degradation values≤20%;
It is high: 20% < network performance degradation values≤30%;
It is very high: network performance degradation values > 30%;
Third behavior is completely isolated;
Fourth line is around attacker;
Fifth line is not punish;
According to the decision table of foundation, intrusion response is selected;
1) if the intrusion response selected is not punish, management node can ignore invasion;
If 2) intrusion response behavior is entirely isolated, node is first invader VjIncrease in its blacklist list, then Invader V is isolated in all nodes of networkj, and data packet all in blacklist node is deleted immediately, and ignores black name Data packet in single node in all queues;
3) if intrusion response behavior is to bypass attacker, node is first invader VjIt is added in its interim blacklist table; Routing data packet will all be ignored and be deleted to all nodes, and routing data packet includes routing inquiry, routing reply and invasion node VjThe data packet for generating or forwarding;
All nodes are all by invader VjIt excludes outside new route discovery, selection does not include VjPath;
Meanwhile node is from VjThe data packet received is transmitted to existing route, until node is in VjSurrounding finds new routing.
9. a kind of mobile sensor network intrusion detection and automated response method according to claim 8, it is characterised in that: The confirmation node is the probability P of invadercFinding process are as follows:
In formula, P is the size for indicating test sliding window in a time interval, i.e. inspection number;D is the node that confirmation detects It is the minimum number detected needed for attacker;It is binomial coefficient, PcIt is to confirm that node is the general of invader Rate.
10. a kind of mobile sensor network intrusion detection and automated response method, feature exist according to claim 9 In: the update initial configuration file process are as follows:
The initial configuration file of network characterization matrix is updated by exponentially weighted moveing average:
Each time interval is divided into q period;
In formula,WithRespectively represent the desired value and sight of the network characterization matrix parameter b when update cycle number is q Measured value;
β is weight factor, β=2/q-1.
CN201910075324.4A 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor Expired - Fee Related CN109547504B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910075324.4A CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910075324.4A CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Publications (2)

Publication Number Publication Date
CN109547504A true CN109547504A (en) 2019-03-29
CN109547504B CN109547504B (en) 2021-05-25

Family

ID=65838663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910075324.4A Expired - Fee Related CN109547504B (en) 2019-01-25 2019-01-25 Network intrusion detection and adaptive response method for mobile sensor

Country Status (1)

Country Link
CN (1) CN109547504B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN101772012A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, system and device for determining network node confidence
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system
CN104994091A (en) * 2015-06-30 2015-10-21 东软集团股份有限公司 Method and device for detecting abnormal flow, and method and device for defending against Web attack
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN108462714A (en) * 2018-03-23 2018-08-28 中国人民解放军战略支援部队信息工程大学 A kind of APT systems of defense and its defence method based on system resilience

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102314A (en) * 2007-06-21 2008-01-09 北京联合大学 A 3-level modular intrusion detection system based on risk model
CN101772012A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, system and device for determining network node confidence
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system
CN104994091A (en) * 2015-06-30 2015-10-21 东软集团股份有限公司 Method and device for detecting abnormal flow, and method and device for defending against Web attack
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN108462714A (en) * 2018-03-23 2018-08-28 中国人民解放军战略支援部队信息工程大学 A kind of APT systems of defense and its defence method based on system resilience

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
秦丹阳等: "基于信任感知的无线传感器网络安全路由机制研究", 《通信学报》 *
黄建华等: "入侵容忍系统中自适应响应的研究", 《电脑与信息技术》 *

Also Published As

Publication number Publication date
CN109547504B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
Collins et al. Using uncleanliness to predict future botnet addresses
Hande et al. A survey on intrusion detection system for software defined networks (SDN)
Chen et al. Defending against TCP SYN flooding attacks under different types of IP spoofing
Nadeem et al. An intrusion detection & adaptive response mechanism for MANETs
Jung et al. Fast portscan detection using sequential hypothesis testing
CN108289088A (en) Abnormal traffic detection system and method based on business model
Yang et al. Security evaluation of the cyber networks under advanced persistent threats
Seufert et al. Machine learning for automatic defence against distributed denial of service attacks
US7672283B1 (en) Detecting unauthorized wireless devices in a network
CN108512837A (en) A kind of method and system of the networks security situation assessment based on attacking and defending evolutionary Game
Al-issa et al. Using machine learning to detect DoS attacks in wireless sensor networks
CN109756515B (en) Black hole attack detection and tracking method based on suspicion degree accumulation
Liu et al. TrustGuard: A flow-level reputation-based DDoS defense system
Ju et al. An improved intrusion detection scheme based on weighted trust evaluation for wireless sensor networks
CN110138759A (en) The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment
Wan et al. Foureye: Defensive deception against advanced persistent threats via hypergame theory
Wang et al. Local detection of selfish routing behavior in ad hoc networks
CN114095232A (en) Power information system dynamic threat quantitative analysis method based on hidden Markov
Kavisankar et al. Efficient syn spoofing detection and mitigation scheme for ddos attack
Zhao et al. Measurement integrity attacks against network tomography: Feasibility and defense
CN109547504A (en) A kind of mobile sensor network intrusion detection and automated response method
RU2531878C1 (en) Method of detection of computer attacks in information and telecommunication network
Sahu et al. A survey on detection of malicious nodes in wireless sensor networks
Anbar et al. Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS)
Abou Haidar et al. High perception intrusion detection system using neural networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210525

Termination date: 20220125

CF01 Termination of patent right due to non-payment of annual fee